Am 10.03.2011 21:09, schrieb mos: > At 12:37 PM 3/10/2011, Claudio Nanni wrote: > >> Hi there, >> Yes I think its actually a pattern a few hundreds million sites solved >> already :) > > Great. How did they do it? :) > >> And any way to encrypt (scramble)the http get string would do. But my >> question is , are you afraid of sql injection? > > I'm using parameterized queries and validating user input so SQL injection > shouldn't be a problem. > I just don't want to give the hacker any more useful information than > necessary. Let's say I have a Document_Id > column and the url is > www.mydocuments.com/public?docid=4 > > to retrieve document_id=4, I don't want someone to write a program to > retrieve all of my public documents and > download them. I want them to go through the user interface. > The private documents of course need a user name and password to access them, > but public documents do not require > passwords. > > So hashing or encrypting the id column will make the id's non-contiguous and > impossible to guess.
sorry but this is foolish leave the id in peace and add a colum with some checksum
signature.asc
Description: OpenPGP digital signature
