I have a Products table in SQL Server database, it has an ID column that contains uniqueidentifiers, and a ProductName column with VARCHAR(100). This table contains over 5000 entries.
Now on my razor cshtml page, I have a drop down that displays these pProduct names. The way I have done is by binding drop-down value field to ID column and display text to ProductName. This mean that on the client side, if someone does a view source in their browser (or use any http sniffer etc), they can see all the GUIDs associated with these Product Names. Now when user submits this information, I have setup a server side validation, where I make sure that all the submitted GUIDs are
1) Valid Guids (not strings or anything else)
2) Submitted Guid exists among the IDs in Products. This ensure that any Guid that don’t exists in Products.ID will not be processed.
The fact that a user can see this GUID data, does it expose any security risks? Are there any better ways of handling this situation?
Assuming your database has foreign keys, this causes no security hole. Even if it has no foreign keys (between a product table and product orders), you can simply look for the product first. If it doesn’t exist, ignore the request.
So no, it’s not a security hole – unless there is a security hole in the Guid Parsing of the .NET framework.