Menu
We're designing a HTTP service with an external API, which will need to store some items, that external API consumers might need to retrieve later on. Everything is stored in a table foos, and the current plan is to just use the table's primary ID key as the external unique identifier. My gut tells me this is bad design, but I've not been able to argue my case effectively, partially because I can't articulate the reasons.
Here are the only downsides I can think of so far:
Are there other major downsides, or am I just being paranoid? Would also appreciate some links to published articles which talk about this!
838
Im going to go ahead and say that if your database is locked down than this does not matter unless:
What I'm sure you already realize is that taking measures against SQL injection will prevent anyone taking advantage of this information, however knowing an index range could mean that someone will know that 1 less or 1 more in an index range is a tangible key to be used to access your API.
If you can access your API through a URL without being logged in, then using an index range is a bad.
http://mysite.com?APIkey=145
If I know my key is 145, then 144 and 146 probably would also work to make a call.
Using a GUID scheme is way to deal with this but with this you are making other sacrifices:
ID (index): 145
ID (GUID): C87FC84A-EE47-47EE-842C-29E969AC5131
Or finally, you can add another column to save a random hash as a unique API key like you said:
ID (Hash): da39a3ee5e6b4b0d3255bfef95601890afd80709
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
