[FX.php List] Obscuring the recid on URL links

Gjermund Gusland Thorsen ggt667 at gmail.com
Mon Aug 28 01:33:11 MDT 2006


Did you look here, this is similar to what Schwartz describes:
http://www.file-making.com/tutorial/part5.php

On 8/28/06, Jonathan Schwartz <jonathan at eschwartz.com> wrote:
> Yes, I am using sessions and can watch remote IP hits.  On this
> particular project, the database is only going to be up for a short
> time (several weeks), but I am also looking at the bigger picture.  I
> suppose that I can also change the random string to include alpha
> with upper and lower case.  That should really do it.
>
> Thanks
>
> Jonathan
>
>
> At 10:36 AM +1000 8/28/06, Kevin Futter wrote:
> >On 28/8/06 10:22 AM, "Jonathan Schwartz" <jonathan at eschwartz.com> wrote:
> >
> >>  Thanks Kevin,
> >>
> >>  With the use of a randomly generated 20 character ID used in place of
> >>  the recid (detail.php?newid=1234567890-1234567890), how would folks
> >>  be able to access random records?  Through luck or brute force?
> >>
> >>  Call me silly, but how likely is that?
> >>
> >>  I guess that I could double the character string length and even add
> >>  a counter for failed attempts by remote IP.
> >>
> >>  How much is enough/too much?
> >>
> >>  Jonathan
> >
> >I'd say what you have now is enough. The only serious threats you'd face is
> >from someone who's realised that your keys are randomly generated, and
> >writes a bot to loop through and submit some (thousands) possibilities. As
> >you've noted, it isn't very likely, and your suggested response is probably
> >close to the mark anyway. (I'd actually test that no single remote IP is
> >polling the db more than, say, once per second. If you're using sessions,
> >this should be quite easy to track.)
> >
> >--
> >Kevin Futter
> >Webmaster, St. Bernard's College
> >http://www.sbc.melb.catholic.edu.au/
> >
> >
> >
> >------------------------------------------
> >This e-mail and any attachments may be confidential.  You must not
> >disclose or use the information in this e-mail if you are not the
> >intended recipient.  If you have received this e-mail in error,
> >please notify us immediately and delete the e-mail and all copies.
> >The College does not guarantee that this e-mail is virus or error
> >free.  The attached files are provided and may only be used on the
> >basis that the user assumes all responsibility for any loss, damage
> >or consequence resulting directly or indirectly from the use of the
> >attached files, whether caused by the negligence of the sender or
> >not.  The content and opinions in this e-mail are not necessarily
> >those of the College.
> >
> >
> >_______________________________________________
> >FX.php_List mailing list
> >FX.php_List at mail.iviking.org
> >http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> --
>
> Jonathan Schwartz
> FileMaker 8 Certified  Developer
> Associate Member, FileMaker Solutions Alliance
> Schwartz & Company
> jonathan at eschwartz.com
> http://www.eschwartz.com
> http://www.exit445.com
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>


More information about the FX.php_List mailing list