I am working on an application that allows a moderator to edit user information. So at the moment I have a url like
http://xxx.xxx/user/1/edit http://xxx.xxx/user/2/edit
I am a little worried here, since I directly open the primary key of the table (id) from the database. I just take the identifier from the URL (for example: 1 and 2 from the above URLs), query the database with the identifier and get the user information (of course, I sanitize the input identifier ie from the URL).
Note:
I check each request to check if the moderator has edit access to this user
This is what I do. It is safe? If not, how should I do this?
I can think of one alternative, that is, have a separate column for the user table with a 25-character key and use the keys in the URL and the query database with these keys
But,
This is safe (and it seems to be the best way to do this) if the administrator privilege check is correct and you have a warning for SQL injection. Both of which you mentioned, so I would say that you are good.
: . , , , Stackoverflow :
http://stackoverflow.com/users/1/ http://stackoverflow.com/users/2/ http://stackoverflow.com/users/3/
member for, , , , , PK.
member for
, , , , 1, 2, 3 .. URL-, PK - 535672571d2b4 .
535672571d2b4
, - . , , , . ( ), .
, - .
. , beter SQL , .
, . (, ). DB , . . PostgreSQL:
CREATE TABLE t1 ( id bigint NOT NULL DEFAULT (((nextval('id_seq'::regclass) * 678223072849::bigint) % (1000000000)::bigint) + 460999999999::bigint), ... <other fileds here> )
If you are really unsure, you can also use XOR with a good (large) fixed value. This way you will not disclose your identifiers. When re-applying the same "secret number" with the xor'ed field, you will get the original value.
$ YOUR_ID xor $ THE_SECRET_NUMBER = $ OUTPUTTED_VALUE
$ PUTPUTTED_VALUE xor $ THE_SECRET_NUMBER = $ YOUR_ID
Source: https://habr.com/ru/post/1537515/More articles:Get path to parent file, Ruby - ruby | fooobar.comHow to correctly select data on Firebase in Angular UI typeahead - javascriptHow to get element color using Selenium - javaSonatype nexus - which means published mean - nexusHow to fix remote cssselect package issue in lxml? - pythonI try to create a PDF using shrimp, but I get: Prawn :: Errors :: UnrecognizedTableContent - ruby-on-railsHow to take a snapshot of processor speed by individual cores in MHz - performanceregex to detect mentions but not detect email messages - phpBackpack with weight and item limit - algorithm12/24 hour conflict mode - androidAll Articles