views:

354

answers:

4

I am using PHP, AS3 and mysql.

I have a website. A flash(as3) website. The flash website store the members' information in mysql database through php. In "members" table, i have "id" as the primary key and "username" as a unique field.

Now my situation is: When flash want to display a member's profile. My questions:

  1. Should Flash pass the member "ID" or "username" to php to process the mysql query?

  2. Is there any different passing the "id" or "username"?

  3. Which one is more secure?

  4. Which one you recommend?

I would like to optimize my website in terms of security and performance.

+1  A: 

Probably you should get intimately familiar with "PHP Sessions", maybe using a framework that already has this in place, because it's non-trivial and you don't want to mess it up. The session management software will then handle all this for you, including login screens, "I forgot my password", etc.

Then you can focus your attention on what your site is really primarily there for.

Sounds like fun (actionscript + php + mysql) - good luck!

le dorfier
um.. I am not going to use any framework, because I already start this project half-way. I afraid I need to take sometimes to pick up the framework. Do you refer to zend framework? or CakePhp?
roa3
Nothing that heavy, something that can be used to just handle sessions with a mysql database. Google for "php session manager". Or at least work through a PHP sessions tutorial. I think you'll see where the appropriate interfaces lie, but you do need to do this in the context of sessions.
le dorfier
The basic answer to your question is that the PHP session handler will end up passing user identity info around for you.
le dorfier
alright.. I will give it a try, google "php session manager" see if its can help.. Thanks anyway, voted up
roa3
+5  A: 

The primary key is always the safest method for identifying database rows. For instance, you may later change your mind and allow duplicate usernames.

Depending on how your ActionScript is communicating with PHP, it will likely also require sending fewer bytes if you send an integer ID in your request rather than a username.

Ron DeVera
+5  A: 

1) Neither is inarguably the thing it should do.

2) The ID is probably shorter and minisculely faster to look up. The ID gives away slightly more information about your system; if you know that a site uses serial IDs at all, and you know what one of them is, that's pretty much as good as knowing all of them, whereas knowing one username does not tell you the usernames of any other users. On the other hand, the username is more revelatory of the user's psychology and may constitute a password hint.

3) Both have extremely marginal downfalls, as described in item 2.

4) I'd use the ID.

chaos
+1  A: 

Arguments for passing id number:

  • People never change their id. People do change their names. For a casual games site with disposable accounts, that might not be a problem, but for long-term registered users it can be. I've had to handle a demand by an upset woman that her ex-husband's surname be purged from her user name. A process for doing this had to be rapidly established!

  • Shorter

  • Easier to index and partition.

Arguments for passing user name:

  • Slightly harder (but not impossible) to guess a legal, existing account - e.g. to peruse random people's records, if that's your thing.
Oddthinking
>>Slightly harder (but not impossible) to guess a legal, existing account - e.g. to peruse random people's records, if that's your thing.If information is not meant to be public it should be password protected. If it is public then guessing an ID doesn't matter.