Josh Berkus <josh@agliodbs.com> writes: > Mark, Nathan, > > I'm moving this over to the PGSQL-SQL list, away from -hackers, as it's no > longer a -hackers type discussion. Hope you don't mind! > > > On Wed, Sep 07, 2005 at 11:31:16AM -0700, Josh Berkus wrote: > > > I'm also a little baffled to come up with any real application where > > > making an id number for most tables "unguessable" would provide any > > > kind of real protection not far better provided by other means. For > > > your "users" table, sure, but that's a very special case. > > > > It should never be the sole means of defense, however, it can be quite > > effective at prevention. > > > > For a rather simple example, consider a site that associates a picture > > with each member. If the pictures are named 1.jpg, 2.jpg, 3.jpg, etc. > > it makes it ridiculously easy to write a script to pull all of the > > pictures off the site. This can be bothersome, as the only type of > > person who would do this, is the type of person with an illegitimate > > motivation. I want the data to be easily and freely accessible as > > specific objects, but I do not wish to provide an easy way of > > dumping all of the data as a unit.
Of course you could have just done the same thing using an hmac (or a simple hash like crypt) and not had to store an extraneous meaningless piece of information in your database. -- greg ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
