使用Mongodb ObjectID作为文档ID? [英] Using Mongodb ObjectID as a document ID?

问题描述

我正试图用mongoDB做一个董事会.

I'm trying to make a board with mongoDB.

我想用ObjectID分配文档ID.

I want to assign document ID with ObjectID.

如果用户可以通过 http://www.example.com/4easdf123123其中"4easdf123123"是mongoDB对象ID.

If a user can access to a document page by http://www.example.com/4easdf123123 where "4easdf123123" is a mongoDB ObjectID.

如果我在URL中使用并显示mongo ObjectID并将其用作文档ID，是否存在任何安全威胁?

Is there any possible security threat, If I use and show mongo ObjectID in URL and using it as a document id?

关于使用mongoDB分配文档ID的任何建议?

And any suggestion with assigning document ID with mongoDB?

推荐答案

这看起来不像MongoDB ObjectID － ObjectID是12字节的二进制数据，并且以十六进制字符串的形式呈现(通常的使用方式网址中的字符)，长度为24个字符.我假设您使用的是官方的PHP Mongo驱动程序，在这种情况下MongoId类的构造函数将忽略无效值，并为您生成一个新值.无论如何，最好让驱动程序为您生成一个ObjectID/MongoId，因为这样做可以避免冲突.

That doesn't look like a MongoDB ObjectID -- an ObjectID is 12 bytes of binary data, and when rendered as a hexadecimal string (the usual way to use it in a URL) it would be 24 characters long. I assume you're using the official PHP Mongo Driver, in which case the MongoId class's constructor will ignore invalid values and generate a new one for you. In any event, it's best to let the driver generate an ObjectID/MongoId for you, as it will do so in a way that avoids collisions.

关于在URL中使用它的安全性，应该没问题.当然，您应该使用有关实现代码的常规预防措施，以确保当前用户有权查看正在显示的对象，等等，但是在URL中使用ObjectID的安全风险没有任何其他数据库标识符(字符串)高，整数等)，并且通常更少，因为ObjectID没有语义值(而URL中的字符串"adminuser"可能表示该URL与具有较高特权的用户有关).

As for the safety of using it in your URLs, you should be fine. You should, of course, use the usual precautions about implementing code to ensure that the current user has access to view the object being displayed, etc, but there is no more security risk of using an ObjectID in URL than any other database identifier (string, integer, etc), and often there is less, as the ObjectID has no semantic value (whereas a string like "adminuser" in a URL might convey that that URL relates to a user with elevated privileges).

这篇关于使用Mongodb ObjectID作为文档ID?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！