There is a general concern if the user can manipulate variables so that they pose a threat to your app...
On 7/19/07 12:56 AM, "John Comerford" <[EMAIL PROTECTED]> wrote: > Hi Folks, > > I am in the process of putting together a web application. I have > decided to add a 'RowId' field to all my tables and assign it a unique > number so that I use it to retrieve data. In concept this number might > be passed back to the server as part of an ajax request etc. My > question is what is the best way to assign this number. My strongest > feeling is to use an MD5 string: > > Advantages: > 1) It is not 'guessable', a sequence number might open up some security > issues by allowing a user to replace the RowId if it is held in hidden > field or something like that. > 2) It is 'sort' of unique, with the changes of it being duplicate fairly > slim (I really only need it to be unique by table). > > Dis-advantages: > 1) At 32 characters long it's pretty difficult to work with from an > admin point of view > 2) Performance, I am still fairly green with MySQL but I would have to > assume that having an extra 32 char field in a table is going to have a > performance impact. > > Do you guys reckon the performance hit will be significant (I know this > is a bit of a 'how long is a piece of string' question). > Does anybody know of a better way to do this ? I was also considering > doing something along the lines of ProcessID + Year + Month + Day + > Hour + Second + MilliSecond + 4 digit random, would this be a better idea ? > > TIA, > JC ------------------------- Olaf Stein DBA Center for Quantitative and Computational Biology Columbus Children's Research Institute 700 Children's Drive phone: 1-614-355-5685 cell: 1-614-843-0432 email: [EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
