如何管理数据库实体ID，以有效的方式避免安全风险? [英] How should DB entity IDs be managed to avoid security risks in a performant way?

问题描述

假设我有一个小型网站，用户可以在其中公开书评.因此，在服务器代码中，我们的位置如下所示:

 //获取用户的阅读书籍.公共IHttpActionResult GetBooks(){var user = GetLoggedUser();var userBooks = BooksRepository.GetByUserId(user.Id);返回确定({名称:user.Name，书籍:userBooks.ToDtoList()});}公共IHttpActionResult GetReviews(int bookId){var reviews = ReviewsRepository.GetByBookId(bookId);返回确定({评论:reviews.ToDtoList()});} 

除其他事项外，审阅对象还具有ID属性(整数)，这是其在数据库中的ID.现在，假设我是一个恶意用户，先登录，然后再开始执行以下操作:

 允许限制= 100;for(让id = someStart; id<(someStart +限制); id ++){fetch(URL +'/reviews?bookId ='+ id).then(/*获得其他用户的评论... */);} 

为了避免这种情况，我已经看到人们使用GUID作为表的主键，而不是使用整数.数据库是否以某种方式在内部对GUID进行排序，以便它们可以创建索引?如果没有，这不是一个缓慢的方法吗?有没有更好的方法来处理发送到浏览器的ID?

解决方案

是的，有更好的方法.将您的整数ID保留在内部，切勿将其公开给客户端.

我过去做过的一件事(甚至有几次)是在保留原始int ID的同时添加GUID列.您的后端仍可以使用int ID进行工作，但是，在向客户端公开数据时，此时您仅发送GUID，而从不公开int ID.如果浏览器发出了请求，则该请求将随GUID一起提供，此时，如果您需要某种东西，则可以获取int ID.

因此，您无需更改主键，只需添加一个新的GUID列，然后将其公开给客户端即可.

Let's suppose I have a small website where users can public book reviews. So, in the server code we have somewhere something like this:

// Get user's read books.
public IHttpActionResult GetBooks()
{
    var user = GetLoggedUser();
    var userBooks = BooksRepository.GetByUserId(user.Id);

    return Ok({
        Name: user.Name,
        Books: userBooks.ToDtoList()
    });
}

public IHttpActionResult GetReviews(int bookId)
{
    var reviews = ReviewsRepository.GetByBookId(bookId);

    return Ok({
        Reviews: reviews.ToDtoList()
    });
}

Among other things, the review objects have an ID property (integer), that's their ID in the database. Now let's suppose I'm a malicious user, I log in and then, I start doing something like:

let limit = 100;

for (let id = someStart; id < (someStart + limit); id++) {
    fetch(URL + '/reviews?bookId=' + id)
        .then( /* getting other users' reviews... */ );
}

In order to avoid that situation, instead of using integers, I have seen people using GUIDs as the primary key of their tables. Do databases order GUIDs somehow internally so they can create an index? If not, isn't it a slow approach? Is there a better way to deal with IDs sent to the browser?

解决方案

Yes, there is a better way. Keep your integer IDs internal and never expose them to the clients.

One thing I did in the past, several times even, is to add a GUID column while keeping the original int IDs. Your back-end can still function using the int IDs, but when it comes to exposing data to the client, at that point you only send the GUIDs and never make the int IDs public. If a request is made from the browser, it will come with the GUID at which point you can obtain the int ID if you need it for something.

So, you're not changing your primary keys, all you do is add a new GUID column and then expose that to the clients.

这篇关于如何管理数据库实体ID，以有效的方式避免安全风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！