Is it safe to put my model ids into my forms?

StackOverflow https://stackoverflow.com/questions/20151390

Question

I remember seeing somebody say something in some comments somewhere that it isn't very safe to expose the id of a model record to a web page. I tried looking for some ways around it but couldn't find any specific documentation on the likes.

Does anybody know about why this is and whether or not it should be avoided? Also how it might be avoided?

Was it helpful?

Solution

The only thing a hacker can do with an ID is look it up in your database, and if they can do that, you are already hosed anyway. That's why such IDs are called "fictitious", because they don't relate to anything else in reality, such as a Social Security Number.

Sometimes you should, and sometimes you should not, put an ID into an URI - http://example.com/myController/42. If you do that, secure your page so unauthorized users cannot trivially change the number and see what records they can find. But you need that security anyway, even if you use a "slug" to find records, because users can poke around looking for different slugs. The main reason not to use /42 is URIs are part of your usability envelop, and they should be literate and user-friendly.

And I put database IDs inside HTML IDs all the time, to make them unique, such as <input type="text" name="username" id="username_42" />. That's still just as secure.

OTHER TIPS

It isn't. Your user ID is at the link in your name here at this question and the question ID is just up there in the URL. The only thing that is unsafe is if you allow people that know the IDs but should not have access to do stuff you didn't want them to do.

Safety is built into your app, not if you're showing IDs of your models or not.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top