-1

I have to pass parameters throught my pages. For exemple ids of my database.

Is it a good idea to do so: www.example.com?id=10

Or have I to hash the parameter:

www.example.com?id=b1d5781111d84f7b3fe45a0852e59758cd7a87e5

It is really important to hash this one?

Thanks Best regards

anubis
  • 1,425
  • 5
  • 18
  • 47
  • It depends on what you're protecting. – Jay Blanchard Dec 01 '15 at 21:04
  • 1
    What exactly would hashing (or any other form of obfuscation) offer here? – Jon Dec 01 '15 at 21:04
  • how do you propose to turn this hash back into a number? hashes are generally one-way functions. – Marc B Dec 01 '15 at 21:04
  • if you hash the parameters will protect your website from sniffing content, otherwise no need for hashing it is too costly – Fahed Alkaabi Dec 01 '15 at 21:05
  • 1
    I would save the hashing in the database and search for this – anubis Dec 01 '15 at 21:05
  • 1
    @anubis of course. But how would that be different from using straight integers? The *only* thing you gain is that it's not easy for someone to "try all numbers in a row", but that should be irrelevant in any serious application. The security and integrity of your data should never depend on someone not being able to guess a long-lived value. – Jon Dec 01 '15 at 21:08
  • ok, thanks, if no security reason to do this, it's simplier to use directly the id! – anubis Dec 01 '15 at 21:09
  • How about saving all this stuff in a session instead, so you do not have to display and pass all the data? – Hasse Björk Dec 01 '15 at 21:15
  • In this case is not possible because the system send the url to another user – anubis Dec 01 '15 at 21:17

3 Answers3

2

There is no need to hash Id's in query string. Yes it is visible to everyone but it's a common use. you should verify in your server side that this parameter cannot harm your application

Avi
  • 1,924
  • 3
  • 17
  • 31
1

How are you able to trace back the id for that specific hash? You will create a bottleneck if you need to get all your database id's and hash those to find your matching record.

Using id's in urls are commonly used, just dont put any sensitive data in your urls to protect your visitors (and yourself).

Also note that every visitor is evil. Always validate incomming data and do some proper error handling incase someone is messing around with the urls.

PAlphen
  • 186
  • 1
  • 9
0

Ids are ok but I think the spirit of this question may be the result of a very real concern.

As others have said, you should expect evildoers to be using your site. Of particular concern with poorly design web applications, are SQL injection attacks. The ids themselves aren't an issue but if your backend is building a string of SQL, you could have issue. For example if your PHP code is taking that parameter and creating this SQL:

SQL = 'select * from product where id ='.$_GET['id']

Executing this SQL would be a major issue if someone changed their browser to call this page:

/product.php?id=1;DELETE FROM USERS;--

...you could end up with an empty database table.

Every language has its own way of protecting from this kind of thing, so make sure you are doing it the right way. For example, see this SO question How can I prevent SQL injection in PHP?

See https://www.owasp.org/index.php/SQL_Injection for more info

Community
  • 1
  • 1
mcgraphix
  • 2,723
  • 1
  • 11
  • 15