Is it ok to place user id's from a db in the GET string for a php app page?

views:

answers:

+2 Q:

Is it ok to place user id's from a db in the GET string for a php app page?

Hi, apologies if I make any cardinal errors in question asking, this is my first post.

Building a simple app in php where the user has permissions to a number of different sets of data which are held in a db with corresponding id's. Currently I have the user switching the set of data they are viewing by choosing a set from a dropdown. My security knowledge being somewhat weak leads to my question: is it inherently bad to expose actual row id's from a database to the outside world?

In this case it would appear in the form: http://www.***app.com/app.php?currentDataSetID=44

Thanks for input (and again apologies for any noobesqueness in the question). SO rocks.

+4 A:

This is usually perfectly fine. As you can see in the question URL, Stack Overflow does the same thing!

You need to concentrate on making sure that nobody without the right permissions can actually access ID 44 even if they enter the correct URL.

Pekka 2010-07-15 12:06:53

Great - thanks for the input

tom_j 2010-07-15 13:54:13

Usually user's access to data is based on sessions or cookies. Sessions are stored on the server side, cookies in user's browser. So you can expose user's id in URL but take care that only user with appropriate cookie can access his/her data. Try to search google for .. php cookie based login ...

ivan73 2010-07-15 12:53:19

ansaurus

tags:

views:

answers:

Is it ok to place user id's from a db in the GET string for a php app page?

related questions