Is it a bad practice to expose DB internal IDs in URLs?

Question

Is it a bad practice to expose DB internal IDs in URLs?

For example, suppose I have a users table with some IDs (primary key) for each row. Would exposing the URL myapp.com/accountInfo.html?userId=5, where 5 is an actual primary key, be considered a "bad thing" and why?

Also assume that we properly defend against SQL injections.

I am mostly interested in answers related to the Java web technology stack (hence the java tag), but general answers will also be very helpful.

Thanks.

Answer 1

To use the database ID in URLs is good, because this ID should never change in an objects (db rows) life. Thus the URL is durable - the most important aspect of an URL. See also Cool URIs don't change.

Answer 2

It isn't a bad thing to pass through in the URL, as it doesn't mean much to the end user - its only bad if you rely on that value in the running of your application. For example, you don't want the user to notice that userId=5 and change it to userID=10 to display the account of another person.

It would be much safer to store this information in a session on the server. For example, when the user logs in, their userID value is stored in the session on the server, and you use this value whenever you query the database. If you do it this way, there usually wouldn't be any need to pass through the userID in the URL, however it wouldn't hurt because it isn't used by your DB-querying code.

Answer 3

That bases on the way you parse the URL. If you allow blind SQL injections that is bad. You have to only to validate the id from the user input.

Stackexchange also puts the id of the row into the URL as you can see in your address bar. The trick is to parse the part and get did of all possible SQL. The simples way is to check that the id is a number.