Agreed, for MLS records, newspaper stories, blogs entries etc. most likely there is no security issue with incrementing db ids in url, and might actually be useful in some cases as you pointed out. But substitute MLS for accounts, health records, employee records with salary information etc, and potential issue appears for sites not having strong data/object level authorization.
I fully agree with other people (Cliff and Ned) on this thread that obfuscation should not mistaken for real security. and I thank them for pointing this out as I might have made that mistake. But in my case, my decision is to go with both obfuscation of id in url and security through proper authentication and authorization. Security - more levels you have , harder and costlier it is to break. thank Ashish On Apr 12, 10:03 am, "James Bennett" <[EMAIL PROTECTED]> wrote: > On Fri, Apr 11, 2008 at 6:28 PM, ydjango <[EMAIL PROTECTED]> wrote: > > currently I am using constructing url as /house/edit/123/ > > where 123 is house data base primary key for that house. > > > Can exposing the primary key in url be any security issue? > > > (r'^house/edit/(\d+)/$',editHouse) > > > Is there alternative way without exposing the primary key in url? > > There is no security issue unless you care about people knowing how > many houses are in your system. > > However, if you're looking for an alternative, and if you have access > to an MLS[1] or similar database, the listing number will be unique > within a given MLS database. This makes for a useful identifier, > particularly if your users are realtors or work in the real-estate > industry since they'll already be familiar with the system and telling > them to just visit "/house/<MLS number>/" is easy ;) > > [1]http://en.wikipedia.org/wiki/Multiple_Listing_Service > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
