I have an HTML list whose <ul> items have ids same as the primary keys in the database table. Is it generally acceptable to expose the primary keys for this purpose? If not, what efficient methods can be used to mask them?
views:
89answers:
7
+3
A:
ID's should not start with numbers.
http://www.w3schools.com/tags/att_standard_id.asp
If you can add something to it, really shouldn't be a problem. Security wise, I don't think using the ID is enough of a risk to worry about.
Kris.Mitchell
2010-09-30 14:02:28
A:
I've seen many people using this strategy, and I think it works quite well. You can 'obscure' the ids if you want to, but what is your security issue?
ivy
2010-09-30 14:02:28
A:
Using the primary id's is entirely fine unless you don't want to expose the ID's due to security reasons
Kasturi
2010-09-30 14:02:39
+1
A:
What is the penalty for exposing database keys to the user? If there is none, then go ahead and expose them. If there is a penalty (usually indicating bigger security issues), then you can encrypt them.
(you might find it instructive to look at the page source for SO)
Anon
2010-09-30 14:02:39
`<div id="answer-3831293" class="answer"> ... </div>`
Skilldrick
2010-09-30 14:04:11
+6
A:
There's generally no problem with this, if your site is otherwise secure. Anyone who can access a primary key shouldn't be able to do anything with that knowledge. If you're relying on them being a secret, that's security through obscurity, which isn't much security at all.
However, if your primary keys are numeric, they are not valid element IDs. Element IDs must begin with a letter (src). You can do, e.g.
<span id="foo-<%= Model.PrimaryKey %>"></span>
kevingessner
2010-09-30 14:03:04
A:
No security measures are 100% fireproof. All else being equal, having multiple layers of security is better than a single one. Whether it's worthwhile to spend time obfuscating or encrypting the IDs depends on how valuable your data is, and therefore how determined any hackers are likely to be. In other words, how much would it hurt your company if the database were compromised?
However I think if someone gained enough access to your db that they were able to run queries against it that could take advantage of a primary key, they probably could run queries that could expose primary keys. So obfuscating keys is more likely to slow hackers down than stop them.
Still, it doesn't hurt to obfuscate them, as long as you make sure the obfuscated strings are unique. And in order to be effective, you should make it difficult to derive the primary key from the obfuscated id.
LarsH
2010-09-30 14:11:24
A:
I see a few people saying that "IDs can't start with a number", but actually that's not true anymore in HTML5:
http://mathiasbynens.be/notes/html5-id-class
So, if you use HTML5 (no reason not to), you won't have to worry about that.
Laz75
2010-09-30 22:12:53