Thanks, I will use Slug, which will be unique and alphanumeric but will not be sequential.
I agree best protection is proper authorization, and that I check on each page/request if the user is authorized to view this data or not. I just hate the idea of some user just incrementing ids in url and trying to view the data, he is not supposed to. (eg. putting boss's employee id in url to see his salary) I am restricting the data viewed through use of restrictive parameters in queries which can be defeated by changing the ids in url, if I use primary ids. thanks Ashish On Apr 11, 8:06 pm, Ned Batchelder <[EMAIL PROTECTED]> wrote: > Strictly speaking, exposing the primary key is not a security issue. > Primary keys are not a secret, just an id. You need to secure your data > based on authenticated credentials and some sort of authorization system > that controls who can do what with each piece of data. > > Some people don't like using sequential primary keys because they are > exposing information about their system. For example, with your system, > I can tell how many houses you have in your database by probing URLs. I > guess you might consider that a security concern. If so, use a > randomized slug as others have suggested. > > --Ned.http://nedbatchelder.com/blog > > > > ydjango wrote: > > I am displaying a list of houses and on clicking on one of the houses > > I want to show/edit details > > > currently I am using constructing url as /house/edit/123/ > > where 123 is house data base primary key for that house. > > > Can exposing the primary key in url be any security issue? > > > (r'^house/edit/(\d+)/$',editHouse) > > > Is there alternative way without exposing the primary key in url? > > > Ashish > > -- > Ned Batchelder,http://nedbatchelder.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
