Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it a security risk to expose the ID number of a SQL row?
For example, there is an event with an ID of 12.
Is it a security concern if someone accesses it via http://example.com/events/12, or someone makes a POST to http://example.com/events/12 in order to update that record (assuming I allow this of course)?
The problem of exposing ID’s to users is often referred to as “insecure direct object references” in a web security context.
From OWASP:
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):
attackers from directly targeting unauthorized resources. For
example, instead of using the resource’s database key, a drop down
list of six resources authorized for the current user could use the
numbers 1 to 6 to indicate which value the user selected. The
application has to map the per-user indirect reference back to the
actual database key on the server. OWASP’s ESAPI includes both
sequential and random access reference maps that developers can use
to eliminate direct object references.
untrusted source must include an access control check to ensure the
user is authorized for the requested object.
A defense in depth approach would be to do both 1 & 2.