All geek questions in one place

What are some methods for storing database keys in a url

I read that using database keys in a url is bad.

For instance,

My table has 3 fields: ID:int , Title:nvarchar(5) , Description:Text

I want to create a page that displays a post. Sort of...

 http://server/viewitem.aspx?id=1234

  • Firstly, can someone clarify why this is bad?

  • and secondly, what are some ways to work with primary keys in a url?

+4
source share
9 answers

I think it’s wise to use primary keys in the URL.

Some considerations, however:

1) Avoid SQL injection attacks. If you just blindly accept the id id parameter value and pass it to the database, you run the risk. Make sure you sanitize the input so that it matches any key format you have (for example, discard any non-numeric characters).

2) SEO. This helps if your URL contains some context relative to the element (for example, "big fluffy rabbit" rather than 1234). This helps search engines see that your page matters. It can also be useful for your users (I can find out from the history of my browser what record, without having to remember the number).

+4
source

This is not inherently a bad deed, but it does have some reservations.

The caveat is that someone might enter different keys and possibly pull out data that you don't need / expected them to hit. You can reduce the likelihood that this will be successful by increasing the key space (for example, by making identifiers for random 64-bit numbers).

The caveat two is that if you use a public service and you have competitors, they can extract service information from your keys if they are monotonous. Example: create a message today, create a message in a week, compare identifiers, and you have extracted the speed with which messages are made.

Caveat Three is that it is prone to SQL injection attacks. But you never made a mistake, right?

+2
source

Using identifiers in a URL is not necessarily a bad thing. This site uses it, despite the fact that it is made by professionals.

How can they be dangerous? When users are allowed to update or delete records belonging to them, the developers perform some authentication, but often forget to check whether the record really belongs . An attacker can generate a URL, for example, "/questions/12345/delete" when he notices that “12345” belongs to you and it will be deleted.

Programmers must make sure that the database record with an arbitrary identifier really belongs to the current registered user before performing such an operation.

Sometimes there are serious reasons to avoid identifying identifiers in URLs. In such cases, developers often generate random hashes that they store for each entry and use them in the URL. It would be difficult for an attacker to interfere with the URL string to guess a hash belonging to another user.

+1
source

Security and privacy are the main reasons to avoid this. Any information that makes your data structure stand out is more information that a hacker can use to access your database. As mopoke says, you also expose yourself to SQL injection attacks, which are quite common and can be extremely harmful to your database and application. In terms of confidentiality, if you show any confidential or personal information, anyone can simply replace the number to receive information, and if you do not have an authentication mechanism, you can put your information at risk. In addition, if you can easily query your database, you will open yourself up for denial of service attacks when someone simply goes over the URL against your server, as they know that everyone will get a response.

Regardless of the nature of the data, I tend to recommend against using anything in the URL that could render something about your application architecture, it seems to me that you are simply causing problems (I also relate to hidden fields that actually not hidden).

To get around this, we pre-encrypt the parameters before passing them. In some cases, the encoded URL also includes some form of verification / authentication mechanism, so the server can decide whether to handle it normally.

Of course, each application is different, and the level of security that you want to implement must be balanced with functionality, budget, performance, etc. But I see nothing wrong with being paranoid when it comes to data security.

+1
source

This is sometimes a little pedantic, but you want to use a unique business identifier for things, rather than a surrogate key.

It can be as simple as ItemNumber instead of Id.

The identifier is a db problem, not a business / user issue.

0
source
  • Using integer primary keys in a URL is a security risk. It's easy for someone to post any number. For example, when using a regular web application, the user creates a user record with identifier 45 (viewitem / id / 45). This means that the user automatically knows that there are 44 other users. And if you do not have the correct authorization system, they can see other user information by creating their own url (viewitem / id / 32).

2a. Use the correct authorization. 2b. Use a GUID for primary keys.

0
source

showing the key itself is not initially bad, because it makes no real sense, but showing the means to gain access to the element is bad.

for example, you have an online store that sold items from 2 merchants. Merchant A had items (1, 3, 5, 7), and Merchant B had items (2, 4, 5, 8).

If I shop at Merchant A and see: http: //server/viewitem.aspx? Id = 1

Then I could try playing with him and type: http: //server/viewitem.aspx? Id = 2

This may allow me to access an item that I should not access, as I shop with Merchant A, not B. In general, allowing users to bother with such things can lead to security issues. Another brief example are employees who can view their personal information (id = 382), but they enter the identifier of another user to go directly to another profile.

Now, saying that it’s not bad if security checks are built into the system that check that people do what they should (for example: do not make purchases from another merchant or do not view another employee).

One mechanism is to store information in sessions, but some do not like it. I am not a programmer, so I won’t go into it.

The main thing is that the system is safe. Never trust the data received from the user.

0
source

It seems that all users are asking “problems” using this technique, but I have not seen any solutions. What are the alternatives. There should be something in the url that uniquely determines what you want to display to the user. The only other solution I can think of is to start the entire site outside of the forms, and the browser to send the value to the server. This is a bit more complicated for the code, since all links must be presented on the form. In addition, it’s minimally more difficult for users of the site to use whatever value they want. In addition, this will not allow the user to add any bookmarks, which is the main disadvantage.

@ John Virgolino mentioned encrypting the entire query string, which could help in this process. However, for most applications this seems too big.

0
source

I read about this, looking for a solution, but since @Kibbee says there is no real consensus.

I can think of several possible solutions:

1) If your table uses integer keys (most likely), add a checksum digit to the identifier. Thus, (simple) injection attacks usually fail. When you receive a request, simply delete the checksum digit and make sure it still matches - if they do not, you know that the URL has been changed. This method also hides your "growth rate" (somewhat).

2) When you initially save the database record, save the "secondary key" or the value that you are happy as a public identifier. This should be unique and usually not sequential - examples are the UUID / Guid or the hash (MD5) of an integer identifier, for example. http: //server/item.aspx? id = AbD3sTGgxkjero (but be careful with characters that are not compatible with http). Heading north, the secondary field needs to be indexed, and you will lose the benefits of clustering that you get in 1).

0
source

Source: https://habr.com/ru/post/1276781/

More articles:


All Articles