2

Sorry if that question was already asked but I didn't find any answer on google. I would like to know if it's dangerous to let users know data ids. For instance, if a user has as primary key in my data table "users" id=34.

Is it bad, to let him know that in the html/js code ? Is it recommended to hash data ids ? Which method is usually used in php ?

Thanks a lot for your response

user3540430
  • 41
  • 1
  • 6
  • 1
    It's not necessarily bad, but depends on your *other* security practices. – random_user_name May 01 '16 at 12:42
  • It's not really dangerous... most popular sites I know allow you to search a user by their ID. From my point of view though, you should also let people search a user through their username, as they might not know the ID. – The Codesee May 01 '16 at 12:45
  • 2
    Unless there's a special "php twist" I've missed, this is a duplicate of http://stackoverflow.com/questions/396164/exposing-database-ids-security-risk . see also http://programmers.stackexchange.com/questions/218306/why-not-expose-a-primary-key , http://programmers.stackexchange.com/questions/139450/is-obscuring-obfuscating-public-facing-database-ids-really-a-best-practice and (for a different point of view) http://johntopley.com/2008/08/19/database-ids-have-no-place-in-uris/ . – VolkerK May 01 '16 at 12:45
  • Thanks a lot for your answers. And really sorry for the duplicate. I didn't succeed to google it ! – user3540430 May 01 '16 at 12:57
  • Don't worry. A duplicate isn't necessarily a bad question. -- For your specific case: It's not a security risk to expose an internal database identifier, given proper precautions (parameterization, authentication if needed). Leaking numeric IDs in place of user names into IRIs is however a poor choice from a stylistic viewpoint. – mario May 01 '16 at 13:01

0 Answers0