Is it a security risk to show the actual id, auto incremented by the database, to the user? Can you give some practical examples of what people can do dangerous with it?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it a security risk to show the actual id, auto incremented by the database, to the user? Can you give some practical examples of what people can do dangerous with it?
I’m not aware of any reason exposing the row id to the user is inherently insecure. Pretty much all web frameworks do this at some point.
Using an incrementing integer id exposes some information about the underlying data. Most importantly they are generally sequential so a potential attacker can predict ids that will likely be valid. However, if you are allowing a user to request data from your app for an id he might not have permission to see, then there are probably larger security issues with your app. If you are are properly restricting access, or access to record data doesn’t need to be restricted, then exposing the id doesn’t pose much (if any) risk.