What are some techniques for stored database keys in URL

Question

I have read that using database keys in a URL is a bad thing to do.

For instance,

My table has 3 fields: ID:int, Title:nvarchar(5), Description:Text

I want to create a page that displays a record. Something like ...

http://server/viewitem.aspx?id=1234

1. First off, could someone elaborate on why this is a bad thing to do?

2. and secondly, what are some ways to work around using primary keys in a url?

Answer 1

I think it's perfectly reasonable to use primary keys in the URL.

Some considerations, however:

1) Avoid SQL injection attacks. If you just blindly accept the value of the id URL parameter and pass it into the DB, you are at risk. Make sure you sanitise the input so that it matches whatever format of key you have (e.g. strip any non-numeric characters).

2) SEO. It helps if your URL contains some context about the item (e.g. "big fluffy rabbit" rather than 1234). This helps search engines see that your page is relevant. It can also be useful for your users (I can tell from my browser history which record is which without having to remember a number).