Why is it unsafe to show the user ID in the URL, and how can I replace it?

P

Pavel2017-10-16 14:28:42

Backend

Pavel, 2017-10-16 14:28:42

Actually the essence of the question is this. There is, for example, a link to the user profile site.com/user/123, where 123 is the id in the database. Why is it unsafe to do so, and what identifier can be used instead of id-shnik ?

Reply

Answer the question

In order to leave comments, you need to log in

6 answer(s)

T

ThunderCat, 2017-10-16
@Palych_tw

this facilitates attacks using mass assignment, as a friend recently unsubscribed , you can either replace it with a unique nickname (and then it also looks beautiful), or think about protection against attacks in advance.

A

Alexander Taratin, 2017-10-16
@Taraflex

Just give users id out of order.
Generation of 1 million tickets with random unique IDs

X

x67, 2017-10-16
@x67

Use a hash of a unique name + salt or UUID - they will last a long time

E

eRKa, 2017-10-16
@kttotto

There is such a thing that it is not recommended to show real id on the client. In this case, another field is added, most often guid, and if some identifier needs to be shown on the client, then it is shown.

S

Sergey, 2017-10-17
@mr_jumper

Example. vk.com. They shine the user id. And at the dawn of existence, it was possible to take this id to see a photo of any user.
It is important to use these ids thoughtfully.

P

Psq, 2017-10-17
@Psq

If you use this parameter in GET requests, cast it to int during processing to avoid a number of SQL injections.