On Thursday 10 March 2011 11:45:27 am Reindl Harald wrote:
> Am 10.03.2011 18:10, schrieb mos:
> > I am building a web application that uses MySQL 5.5 with Innodb tables
> > and I don't want the user to see the actual primary key value on the web
> > page. The primary key could be the cust_id, bill_id etc and is usually
> > auto increment. This primary key can appear in the url and will be used
> > to pull up a record and display it on the web page.
> > 
> > So I need some efficient way of 'cloaking' the real primary key so a
> > hacker won't try to generate random values to access info he shouldn't
> > have access to. How do most web sites handle this?
> 
> the most sites will handle this by checking permissions
> security by obscurity is simple crap
> 
> if i have access to record 738 and get z39 by changing the url
> your application is simply broken

I think the original poster knows/suspects his application is broken and thats 
why he's asking.

I think he has a case where he allows a user to edit their own records and 
doesn't have the ability to require a username/password from them, 

I have a similar situation.  What I do is store a random number in their 
record, which I also include in the url.  Access to the record is gained by 
the combination of id, and tag.  Just a thought.


-- 

Take care and have fun,
Mike Diehl.

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql?unsub=arch...@jab.org

Reply via email to