On Thu, Jul 3, 2008 at 7:37 PM, Krishgy <[EMAIL PROTECTED]> wrote:
> Currently we expose the database tables primary key value in the URL.
>
> For example, to display the User profile, I use
> www.example.com/profile/view/12345
> where profile is my controller and view controller function and 12345
> is actually user id (table: profile, column: uid).
>
> Is this recommended approach? How secure is this?
There are two issues. One, does it contain special characters
(HTML/url markup, filesystem separator, etc? Most IDs are numeric or
restricted to Python "identifier" characters ([A-Za-z_-]), so while
you're checking it for validity you're simultaneously guaranteeing it
doesn't contain troublesome characters. Numeric IDs are especially
easy: 'if not id.isdigit(): abort(404. "Invalid ID")'.
The other issue is, does it matter if the public sees the ID? That
depends on the application. In two apps I have running, there's
nothing secret about the IDs; we don't mind if the user types the URL
for convenience rather than going through all the screens and clicks.
The only reason we don't promote it is users would get confused
("what's this meaningless number for? does it have meaning outside
your agency?") If the IDs were user-specific, such as bank account
numbers, then there may be a reason to disguise them.
--
Mike Orr <[EMAIL PROTECTED]>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
