1

A colleague once mentioned to me that when developing web applications, explicitly using a sequence/auto-increment integer (typically a primary key) to uniquely identify values within a database is a security risk, and that since such keys are often used as "surrogate keys" (e.g., for internally identifying records and relationships between records) the safest way of identify resources is use to domain primary key.

Take the following example.

create table category
(
    category_key serial not null primary key,
    name character varying(255) not null,
    unique(name)
);

create table product
(
    product_key serial not null primary key,
    product_id character varying(8) not null,
    name character varying(255) not null,
    unique(product_id)
);

To access category, the url is /category/(\d+) using the category_key primary key. How is this less secure than a url /category/([^/]+) using the name unique key?

The only thing I can think of is that a particular category_key is much easier to guess (e.g., add one), and if you haven't coded your access control properly, this could allow someone to arbitarily view any category within the database.

magnus
  • 4,031
  • 7
  • 26
  • 48
  • easier to guess is the only reason the comes in my mind too. – Hank Lapidez Jul 12 '14 at 10:00
  • 1
    Here's a good answer on this topic: http://stackoverflow.com/a/7452072/2719186. It really depends on whether you have sensitive data in the database (categories and products don't sound particularly sensitive) and whether it would be a problem if someone could scrape your entire database by making calls for ID 1, 2, 3, 4... – Dave Morrissey Jul 12 '14 at 10:01
  • 1
    If the knowledge of the ID is used as a key to authorization, a predictable ID is a security issue. – Gumbo Jul 12 '14 at 12:05

1 Answers1

0

I don't think it's going to ruin your app, it's all about guessing.. When it comes to security. for me it's more about encryption and permission checking and many more.. In conclusion, I don't think there is a relation between using auto-increment with security.

Bla...
  • 7,228
  • 7
  • 27
  • 46