Should I use "id" or "unique username"?

Question

I am using PHP, AS3 and mysql.

I have a website. A flash(as3) website. The flash website store the members' information in mysql database through php. In "members" table, i have "id" as the primary key and "username" as a unique field.

Now my situation is: When flash want to display a member's profile. My questions:

1. Should Flash pass the member "ID" or "username" to php to process the mysql query?

2. Is there any different passing the "id" or "username"?

3. Which one is more secure?

4. Which one you recommend?

I would like to optimize my website in terms of security and performance.

Answer 1

Probably you should get intimately familiar with "PHP Sessions", maybe using a framework that already has this in place, because it's non-trivial and you don't want to mess it up. The session management software will then handle all this for you, including login screens, "I forgot my password", etc.

Then you can focus your attention on what your site is really primarily there for.

Sounds like fun (actionscript + php + mysql) - good luck!

Answer 2

The primary key is always the safest method for identifying database rows. For instance, you may later change your mind and allow duplicate usernames.

Depending on how your ActionScript is communicating with PHP, it will likely also require sending fewer bytes if you send an integer ID in your request rather than a username.

Answer 3

1) Neither is inarguably the thing it should do.

2) The ID is probably shorter and minisculely faster to look up. The ID gives away slightly more information about your system; if you know that a site uses serial IDs at all, and you know what one of them is, that's pretty much as good as knowing all of them, whereas knowing one username does not tell you the usernames of any other users. On the other hand, the username is more revelatory of the user's psychology and may constitute a password hint.

3) Both have extremely marginal downfalls, as described in item 2.

4) I'd use the ID.

Answer 4

Arguments for passing id number:

• People never change their id. People do change their names. For a casual games site with disposable accounts, that might not be a problem, but for long-term registered users it can be. I've had to handle a demand by an upset woman that her ex-husband's surname be purged from her user name. A process for doing this had to be rapidly established!

• Shorter

• Easier to index and partition.

Arguments for passing user name:

• Slightly harder (but not impossible) to guess a legal, existing account - e.g. to peruse random people's records, if that's your thing.