需要一个较小的替代GUID的DB ID,但仍然是唯一和随机的URL [英] Need a smaller alternative to GUID for DB ID but still unique and random for URL
问题描述
我已经查看了所有的地方,我似乎无法得到一个完整的答案。所以如果答案已经在stackoverflow上存在,那么我提前道歉。
我想要一个唯一和随机的ID,使我的网站的用户不能猜到下一个数字只是跳到别人的信息。我计划坚持一个递增的主键的ID,但也存储一个随机和唯一的ID(排序哈希)在DB中的行,并在其上设置索引。
从我的搜索,我意识到,我想避免碰撞,我已经阅读了一些提到的SHA1。
我的基本要求是
- 小于GUID。 (看起来可怕的网址)
- 必须是唯一的
- 避免碰撞
我要查找的示例是www.somesite.com/page.aspx?id= AF78FEB
我不知道我应该在数据库(我使用SQL Server 2005)还是在代码中实现这个(我使用的是C#ASP.Net)
编辑:
从我所做的所有阅读中,我意识到这是通过隐晦的安全。我打算拥有访问页面的适当授权和身份验证。我将使用.Net的认证和授权框架。但一旦合法用户登录并正在访问一个充满属于他的项目的链接的一个友好(但动态创建的页面)。例如,链接可能是www.site.com/page.aspx?item_id=123。什么是阻止他点击该链接,然后改变上面的URL去www.site.com/page.aspx?item_id=456不属于他?我知道一些Java技术,像Struts(我要纠正)存储在会话中的一切,并以某种方式从中工作,但我不知道如何这样做。
[响应编辑]
您应该将查询字符串视为邪恶的输入。您需要以编程方式检查已通过身份验证的用户是否可以查看所请求的项目。
if(!item456.BelongsTo(user123) )
{
//显示它们的一个项目或显示一个错误信息。
}
I have looked all of the place for this and I can't seem to get a complete answer for this. So if the answer does already exist on stackoverflow then I apologize in advance.
I want a unique and random ID so that users in my website can't guess the next number and just hop to someone else's information. I plan to stick to a incrementing ID for the primary key but to also store a random and unique ID (sort of a hash) for that row in the DB and put an index on it.
From my searching I realize that I would like to avoid collisions and I have read some mentions of SHA1.
My basic requirements are
- Something smaller than a GUID. (Looks horrible in URL)
- Must be unique
- Avoid collisions
- Not a long list of strange characters that are unreadable.
An example of what I am looking for would be www.somesite.com/page.aspx?id=AF78FEB
I am not sure whether I should be implementing this in the database (I am using SQL Server 2005) or in the code (I am using C# ASP.Net)
EDIT:
From all the reading I have done I realize that this is security through obscurity. I do intend having proper authorization and authentication for access to the pages. I will use .Net's Authentication and authorization framework. But once a legitimate user has logged in and is accessing a legimate (but dynamically created page) filled with links to items that belong to him. For example a link might be www.site.com/page.aspx?item_id=123. What is stopping him from clicking on that link, then altering the URL above to go www.site.com/page.aspx?item_id=456 which does NOT belong to him? I know some Java technologies like Struts (I stand to be corrected) store everything in the session and somehow work it out from that but I have no idea how this is done.
[In response to the edit]
You should consider query strings as "evil input". You need to programmatically check that the authenticated user is allowed to view the requested item.
if( !item456.BelongsTo(user123) )
{
// Either show them one of their items or a show an error message.
}
这篇关于需要一个较小的替代GUID的DB ID,但仍然是唯一和随机的URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!