Although I always verify that someone is allowed to access the record, I usually use the UID in the query strings, because I feel like it prevents the temptation to “poke” what? id = 1 ,? id = 2 does.
I find this makes it a bit confusing to search across multiple tables, since you need to also store the UID, not just the record identifier.
If I were to pass the encrypted identifier number string through the query string and then decrypt it to execute the database query, would that add a lot of overhead?
This would mean that I can simply work with the primary key (although I still obviously check that they have permission to view the record), and can create unique links in each session (or change at any time throughout the session ) - which would be useful if there is a lot of AJAX-driven content that you do not want them to try to play.
Is this a really bad idea?
source
share