Does it matter if you show the unique id of a record in the URL?

Forum Moderators: coopster

Message Too Old, No Replies

Does it matter if you show the unique id of a record in the URL?

dowzer

9:30 pm on Mar 9, 2011 (gmt 0)

In lot's of instances I see urls such as www.test.com/user.php?id=10 etc.

Is there any "danger" associated with showing these ID's assuming you have already verified that user has the right to view them i.e. so if they try to view www.test.com/user.php?id=11 but are not allowed to then it stops them from doing so?

I have saw some apps which use things such as www.example.com/09a30000000D9x or some other random, unique string which makes it much harder for someone to try and find the next record or to try and view a specific record which they are not meant to but is this actually necessary?

Matthew1980

9:38 pm on Mar 9, 2011 (gmt 0)

Hi there dowzer,

Only thing I will offer as an answer is this: if you have this sort of URL, it isn't very SEO friendly, but if you have that particular example re written through your .htaccess file and using the mod_rewrite module, you can make that URL more 'acceptable' - though you must understand that mod_rewrite doesn't rewrite the URL for you, you have to have the URL done like:-

www.test.com/user/10/index.html (you can omit the .html part too if you like :))

so your URL is done in the actual anchor tag, then the rule in the .htaccess file interprets this and asks the server to display the data accordingly.

So, a more concise answer is: Having the friendly URLs makes for better search engine results. At least this is how I understand it to be...

Cheers,
MRb

g1smd

10:47 pm on Mar 9, 2011 (gmt 0)

See several of my posts in this thread from earlier today, on why URLs like

www.example.com/34437732/acme-rotating-widget

are a Good Thing: [webmasterworld.com...]

dowzer

8:21 am on Mar 10, 2011 (gmt 0)

Thank you both.

In my case these pages will never be seen by a search engine - they are part of a secure application so my main concern is security rather than how it looks or how SEO friendly it may be, if that makes sense?

rocknbil

5:09 pm on Mar 10, 2011 (gmt 0)

OK so let's say you log in and your user's URL looks like this.

www.test.com/user.php?id=10

What happens if you do this?

www.test.com/user.php?id=12

Does it reveal info about another user that it shouldn't? Is the field name of your table 'id'? This reveals info about your table structure. I can guess you have a table named something like 'users', and if error reporting is on someone can munge the URL to kick errors, and from those errors glean a little more info and do all sorts of nasty stuff.

In itself, no, it's not a big deal, it's just a little piece, but someone can go over your site, look at the form field names, and take a stab at the likelihood that the form fields are the same as the table field names . . . which is sickeningly common . . . all these little things add up to a way to abuse your site.

It's pretty easy to change. I can guess at the numbers, but if the user names are not publicly displayed,

www.test.com/user.php?u=rocknbil

will add a small layer. I can't guess at other user names (I can, but would it be worth it . . . ) what you do is look up the user by username instead, never revealing the record ID anywhere.

dowzer

2:56 pm on Mar 11, 2011 (gmt 0)

If you do www.test.com/user.php?id=12 and you are not allowed to view id 12 it redirects you to the user index page so that one is covered (I think!).

Your second points are really where I am coming from really around the level of information given away. Needs some more thought really, do I need to go back and start from scratch to make it more secure?