> >Subject says it all. How bad is to use links like > >http://.../myproject/news/view.do?id=1356 > > > >where id is real id of the DB row. I have tried to get around this by > >caching result in list and show indexes. > >But that looks like it is going to be hard to maintain. If user opens > >two search windows, whole results set gets > >mixed maxed. Only way to prevent this (the way I see it) is to use > >unique id for each result list. > > > >any comments.... > > > >Thank you in advance for replies. > It's not bad to use ids in links unless you allow the user to do something > with that information. > The way I do it is like this. The Action retrieves the "id." First thing would be to make sure the user is allowed to use that id and if not, either redirect them or change it to an id they can use. This way you are sure that it will never be used in a inappropriate manner.
Consider the case where you have /editEmployee?id=234 Security should keep non-logged in members away from the page all together (external model). Then, in the action, make sure they are an admin and can use any id or, if they are a regular user, make sure that the id is their own id, and if not, change the id to the logged in user id or redirect them. That pretty much sums up the logic you need to do. Dan -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Daniel Allen, <[EMAIL PROTECTED]> http://www.mojavelinux.com/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The idea of implementing a serious complex set of business logic rules in a scripting language like Perl really scares me. Perl is too much 'write once, read never again'. And that's no good for business logic that requires maintenance. - voostind - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
