homepage Welcome to WebmasterWorld Guest from 50.17.79.35
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Does it matter if you show the unique id of a record in the URL?
dowzer




msg:4279145
 9:30 pm on Mar 9, 2011 (gmt 0)

In lot's of instances I see urls such as www.test.com/user.php?id=10 etc.

Is there any "danger" associated with showing these ID's assuming you have already verified that user has the right to view them i.e. so if they try to view www.test.com/user.php?id=11 but are not allowed to then it stops them from doing so?

I have saw some apps which use things such as www.example.com/09a30000000D9x or some other random, unique string which makes it much harder for someone to try and find the next record or to try and view a specific record which they are not meant to but is this actually necessary?

 

Matthew1980




msg:4279151
 9:38 pm on Mar 9, 2011 (gmt 0)

Hi there dowzer,

Only thing I will offer as an answer is this: if you have this sort of URL, it isn't very SEO friendly, but if you have that particular example re written through your .htaccess file and using the mod_rewrite module, you can make that URL more 'acceptable' - though you must understand that mod_rewrite doesn't rewrite the URL for you, you have to have the URL done like:-

www.test.com/user/10/index.html (you can omit the .html part too if you like :))

so your URL is done in the actual anchor tag, then the rule in the .htaccess file interprets this and asks the server to display the data accordingly.

So, a more concise answer is: Having the friendly URLs makes for better search engine results. At least this is how I understand it to be...

Cheers,
MRb

g1smd




msg:4279192
 10:47 pm on Mar 9, 2011 (gmt 0)

See several of my posts in this thread from earlier today, on why URLs like
www.example.com/34437732/acme-rotating-widget are a Good Thing: [webmasterworld.com...]
dowzer




msg:4279445
 8:21 am on Mar 10, 2011 (gmt 0)

Thank you both.

In my case these pages will never be seen by a search engine - they are part of a secure application so my main concern is security rather than how it looks or how SEO friendly it may be, if that makes sense?

rocknbil




msg:4279721
 5:09 pm on Mar 10, 2011 (gmt 0)

OK so let's say you log in and your user's URL looks like this.

www.test.com/user.php?id=10

What happens if you do this?

www.test.com/user.php?id=12

Does it reveal info about another user that it shouldn't? Is the field name of your table 'id'? This reveals info about your table structure. I can guess you have a table named something like 'users', and if error reporting is on someone can munge the URL to kick errors, and from those errors glean a little more info and do all sorts of nasty stuff.

In itself, no, it's not a big deal, it's just a little piece, but someone can go over your site, look at the form field names, and take a stab at the likelihood that the form fields are the same as the table field names . . . which is sickeningly common . . . all these little things add up to a way to abuse your site.

It's pretty easy to change. I can guess at the numbers, but if the user names are not publicly displayed,

www.test.com/user.php?u=rocknbil

will add a small layer. I can't guess at other user names (I can, but would it be worth it . . . ) what you do is look up the user by username instead, never revealing the record ID anywhere.

dowzer




msg:4280198
 2:56 pm on Mar 11, 2011 (gmt 0)

If you do www.test.com/user.php?id=12 and you are not allowed to view id 12 it redirects you to the user index page so that one is covered (I think!).

Your second points are really where I am coming from really around the level of information given away. Needs some more thought really, do I need to go back and start from scratch to make it more secure?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved