在URL中公开DB内部ID是不好的做法吗? [英] Is it a bad practice to expose DB internal IDs in URLs?
问题描述
在网址中公开数据库内部ID是不好的做法吗?
Is it a bad practice to expose DB internal IDs in URLs?
例如,假设我有一个 users 表,每行有一些ID(主键)。将暴露URL myapp.com/accountInfo.html?userId=5 ,其中 5 是实际的主键,被认为是坏事,为什么?
For example, suppose I have a users table with some IDs (primary key) for each row. Would exposing the URL myapp.com/accountInfo.html?userId=5, where 5 is an actual primary key, be considered a "bad thing" and why?
还假设我们适当地防御SQL注入。
Also assume that we properly defend against SQL injections.
我最感兴趣的是有关Java Web技术栈的答案(因此是java标签),但一般的答案也将非常有帮助。
I am mostly interested in answers related to the Java web technology stack (hence the java tag), but general answers will also be very helpful.
谢谢。
推荐答案
这取决于你解析URL的方式。如果你允许盲注SQL注入是坏的。您只需要从用户输入验证id。
That bases on the way you parse the URL. If you allow blind SQL injections that is bad. You have to only to validate the id from the user input.
Stackexchange还将行的ID添加到您可以在地址栏中看到的URL。诀窍是解析部分,并得到所有可能的SQL。最简单的方法是检查id是否是一个数字。
Stackexchange also puts the id of the row into the URL as you can see in your address bar. The trick is to parse the part and get did of all possible SQL. The simples way is to check that the id is a number.
这篇关于在URL中公开DB内部ID是不好的做法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
