Menu
Is it a security risk to show the actual id, auto incremented by the database, to the user? Can you give some practical examples of what people can do dangerous with it?
232
No, it is used in many contexts.
If your website is vulnerable in another way, say SQL injection or XSS, they can maybe use the id to something harmfull. But never with the id alone.
Just by looking at your profile here at SO, your id is 243414
145
I'm not aware of any reason exposing the row id to the user is inherently insecure. Pretty much all web frameworks do this at some point.
Using an incrementing integer id exposes some information about the underlying data. Most importantly they are generally sequential so a potential attacker can predict ids that will likely be valid. However, if you are allowing a user to request data from your app for an id he might not have permission to see, then there are probably larger security issues with your app. If you are are properly restricting access, or access to record data doesn't need to be restricted, then exposing the id doesn't pose much (if any) risk.
32
It's not dangerous alone.
If your system have any exploit id can help them
But don't forget if your system vulnerable any information is dangerous just id makes it easier
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
