需要一个较小的替代GUID为DB ID,但仍然是独一无二的和随机的网址 [英] Need a smaller alternative to GUID for DB ID but still unique and random for URL
问题描述
我到处都找这个地方的,我似乎无法得到这一个完整的答案。因此,如果回答也已经在计算器存在,那么我提前道歉。
I have looked all of the place for this and I can't seem to get a complete answer for this. So if the answer does already exist on stackoverflow then I apologize in advance.
我想要一个独特的和随机的ID,这样在我的网站用户无法猜测下一个数字,只是跳给别人的信息。我打算坚持一个递增的ID主键而且还储存在DB该行的随机性和唯一ID(排序散列)并把指数就可以了。
I want a unique and random ID so that users in my website can't guess the next number and just hop to someone else's information. I plan to stick to a incrementing ID for the primary key but to also store a random and unique ID (sort of a hash) for that row in the DB and put an index on it.
从我的搜索我明白我想,以避免碰撞和我读过一些提到SHA1的。
From my searching I realize that I would like to avoid collisions and I have read some mentions of SHA1.
我的基本要求是:
- 的东西比一个GUID小。 (以URL看起来可怕)
- 不能
- 避免冲突
- 不奇怪的字符是不可读的一长串。
什么我期待的是www.somesite.com/page.aspx?id=AF78FEB一个例子
An example of what I am looking for would be www.somesite.com/page.aspx?id=AF78FEB
我不知道我是否应该在数据库(我使用SQL Server 2005)或code(我使用C#ASP.Net)
I am not sure whether I should be implementing this in the database (I am using SQL Server 2005) or in the code (I am using C# ASP.Net)
编辑:
这是我做了所有的阅读中,我意识到这是安全通过隐藏。我不打算有合适的授权和认证访问的页面。我将使用NET的身份验证和授权的框架。但是,一旦一个合法用户登录并访问legimate(但动态创建的页面)填充有链接到属于他的项目。例如,一个链接可能被www.site.com/page.aspx?item_id=123~~V。什么是从点击该链接,然后改变上述网址去www.site.com/page.aspx?item_id=456不属于他阻止他?我知道一些Java技术如Struts(我站被纠正)存储所有的会议,并以某种方式从工作了,但我不知道如何做到这一点。
From all the reading I have done I realize that this is security through obscurity. I do intend having proper authorization and authentication for access to the pages. I will use .Net's Authentication and authorization framework. But once a legitimate user has logged in and is accessing a legimate (but dynamically created page) filled with links to items that belong to him. For example a link might be www.site.com/page.aspx?item_id=123. What is stopping him from clicking on that link, then altering the URL above to go www.site.com/page.aspx?item_id=456 which does NOT belong to him? I know some Java technologies like Struts (I stand to be corrected) store everything in the session and somehow work it out from that but I have no idea how this is done.
推荐答案
[为响应编辑]
你应该考虑的查询字符串为邪恶的投入。您需要以编程方式检查身份验证的用户被允许查看所请求的项目。
[In response to the edit]
You should consider query strings as "evil input". You need to programmatically check that the authenticated user is allowed to view the requested item.
if( !item456.BelongsTo(user123) )
{
// Either show them one of their items or a show an error message.
}
这篇关于需要一个较小的替代GUID为DB ID,但仍然是独一无二的和随机的网址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
