[FX.php List] Obscuring the recid on URL links

Jonathan Schwartz jonathan at eschwartz.com
Sun Aug 27 18:22:49 MDT 2006 

Thanks Kevin,

With the use of a randomly generated 20 character ID used in place of 
the recid (detail.php?newid=1234567890-1234567890), how would folks 
be able to access random records?  Through luck or brute force?

Call me silly, but how likely is that?

I guess that I could double the character string length and even add 
a counter for failed attempts by remote IP.

How much is enough/too much?

Jonathan


At 9:50 AM +1000 8/28/06, Kevin Futter wrote:
>On 26/8/06 2:40 AM, "Jonathan Schwartz" <jonathan at eschwartz.com> wrote:
>
>>  I feel that I should know this by now, but still have a question on
>>  how to create links that do not reveal recid's in URL links.
>>
>>  I understand how to use hidden input fields to hide recids on forms.
>>  No problem there.
>>
>>  However, on links that use URLs (list.php?recid=12345), what methods
>>  are used to not review the recid?
>>
>>  I did try a method where I use 20 character randomly generated ID
>>  instead of the recid, and it works fine.  The 20 character ID still
>>  appears in the URTL, but with 20 characters, it represent a security
>>  risk...I think.
>>
>>  Am I missing some basic concept or technique in this area?
>>
>>  Thanks
>>
>>  Jonathan
>
>One of the main ways this is done is through mod_rewrite on Apache, but it
>doesn't really work for search forms (only fixed data retrieval where the
>database call URI is made to resemble a static URL).
>
>I guess if you had some sort of fixed and reliable pattern to your recid
>parameters, you could encode them in the page and decode them in your
>parsing code (eg, increment each character by 1 in the page, and adjust
>accordingly when making the db call). But unless you use a reasonably
>sophisticated technique (not like my example!), you'll find that people will
>still be able to access random records. It's an inherent attribute of the
>GET protocol.
>
>--
>Kevin Futter
>Webmaster, St. Bernard's College
>http://www.sbc.melb.catholic.edu.au/
>
>
>
>------------------------------------------
>This e-mail and any attachments may be confidential.  You must not 
>disclose or use the information in this e-mail if you are not the 
>intended recipient.  If you have received this e-mail in error, 
>please notify us immediately and delete the e-mail and all copies. 
>The College does not guarantee that this e-mail is virus or error 
>free.  The attached files are provided and may only be used on the 
>basis that the user assumes all responsibility for any loss, damage 
>or consequence resulting directly or indirectly from the use of the 
>attached files, whether caused by the negligence of the sender or 
>not.  The content and opinions in this e-mail are not necessarily 
>those of the College.
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 

Jonathan Schwartz
FileMaker 8 Certified  Developer
Associate Member, FileMaker Solutions Alliance
Schwartz & Company
jonathan at eschwartz.com
http://www.eschwartz.com
http://www.exit445.com

More information about the FX.php_List mailing list