-1

In my website, there's a user's profile page. What I have currently doing is just pass the user ID via a GET request and use it to query the user's details.

So, the user profile URL is like this...

http://www.example.com/user.php?id=345

So, my problem is that, is it safe to show this user's ID (Primary key of the user table) in the URL so, that anyone can see it... ?

Tharindu Thisarasinghe
  • 3,846
  • 8
  • 39
  • 70
  • This is completely normal to do. I guess it depends on what you would consider unsafe, could this be exploited in any way? – JimL May 12 '16 at 15:59
  • 1
    It will be, if you're not sanitize incoming data. In general it's not vulnerable for the system itself, just exposed ids for the third persons, no more, no less. As suggestion you can use hash as `id` (for bad dirty example md5(`email`+salt) or something similar), inside the database. – Wizard May 12 '16 at 16:00
  • What about adding another field to table which has another unique number. ? And use it to query the records ? – Tharindu Thisarasinghe May 12 '16 at 16:02
  • 1
    So that would be exactly like showing the `?id=123` as it would be `?uid=993663475` – RiggsFolly May 12 '16 at 16:04
  • Safe is how you use it, but it looks innocuous enough. You need to make sure you cross-check with some sort of identity constant like session or cookie when accessing user-only privileged data so that someone can't just change the id and pull up another user's data. – Rasclatt May 12 '16 at 16:04
  • no this is not safe user can exploit your database easily – Umair Khan May 12 '16 at 16:06
  • @TharinduLucky before messing with other IDs or anything, why are you worried that people can see the user ids in the first place? – JimL May 12 '16 at 16:06
  • 3
    Kind of ironic that you're asking this question on a site that appears to actually do that. (stackoverflow.com/users/3844510) – Don't Panic May 12 '16 at 16:06
  • The `ID` I'm currently using is the primary key of the user table. So, that `ID` is the key I'm using for setting `SESSIONS` when users logging in to the system. So, that's why I thought about it.. – Tharindu Thisarasinghe May 12 '16 at 16:10
  • @UmairKhan - not exactly true, it all depends on how the backend has been written, visibility of an ID, in and of itself, is not insecure.... non validation of data from a URL (or a POST request) is insecure and can be exploited – Mark Baker May 12 '16 at 16:10
  • 1
    @TharinduLucky doesn't matter, the client can't write to the PHP session data directly. At best the client can change the PHPSESSID, but that is a long hash and it's unlikely to match another active session. – JimL May 12 '16 at 16:12
  • @MarkBaker but some time due to poor coding your database can easily get hacked I am agree with you that it all depends on how the back end has been written – Umair Khan May 12 '16 at 16:16
  • 1
    @UmairKhan sure - but thats security problem(s) with the code. Exposing the user ids (as the OP asked) shouldn't increase the risk of getting hacked. – JimL May 12 '16 at 16:18

1 Answers1

2

It's normal.

But I would suggest you to have a form validation to prevent SQL Injection. Never trust what users give to you

I'd use that kind of expression, but additionally

if (!preg_match('/^[0-9]+$/', $_GET['id']))  { 
    echo 'ID disallowed.';
}

or have a digits limitation (matches 1 to 999999)

if (!preg_match('/^[0-9]{1,6}$/', $_GET['id']))  {
    echo 'ID disallowed.';
}
Benyi
  • 912
  • 2
  • 9
  • 24