我应该模糊我的用户的数据库ID吗？ [英] Should I be obfuscating database IDs from my users?

问题描述

我被告知我不应该直接在web应用程序的HTML代码中使用数据库ID。

I'm being told that I shouldn't be using database IDs directly in HTML code in web applications.

目前我使用表行ID（tableRow-454其中454是数据库中的行的ID），隐藏或选择表单或URL中的字段。 （我不是指在网页上直观地告诉他们他们是####。）

Currently I use the IDs on things like table row IDs (tableRow-454 where 454 is the ID of the row in the DB), in hidden or selects fields in forms or in URLs. (I'm not referring to telling people visually on a page that they are ####.)

我给出的建议是使用一些数学来模糊化来自用户的ID。我认为这只会使事情更复杂，增加不必要的复杂性。但我可以看到一些很好的理由，使它更难以从HTML确定数据库ID。

The recommendation I was given was to use some math to obfuscate the ID from the user. I'm thinking this will only make things more complicated and add unnecessary complexity. But I can see some good reasons to make it more difficult to determine a database ID from the HTML.

您是否模糊用户的ID？

Do you obfuscate the IDs from the user? Or do you care?

推荐答案

不，你只是自己做额外的工作。

No, you're just making extra work for yourself.

只要你做了足够的测试，在这里更改ID或者不会给用户访问的东西，他们不应该，那么你很好的ID可见。

As long as you're doing enough testing that changing an ID here or there won't give the users access to something they shouldn't then you're fine having the IDs visible.

在某些情况下，隐藏它们或具有非连续数字，或者可能不从零开始计数可能是有益的。例如，如果有人得到订单号3，他们可能会开始问问题...

In some situations it can be beneficial to hide them or have non-sequential numbers, or maybe not starting counting from zero. For example if someone got order number 3 they might start asking questions...

这篇关于我应该模糊我的用户的数据库ID吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！