[Javascript] Maximun length of an id
Scott Reynen
scott at randomchaos.com
Tue Sep 11 12:53:09 CDT 2007
On Sep 11, 2007, at 11:17 AM, Terry Riegel wrote:
> The reason for encrypting is because the id would "mean" something to
> the server, and someone could determine what it means to the server
> and change it to get the server to do something the page never wanted
> it to do.
>
> I think I can illustrate by showing an example without an encrypted
> id.
>
> <div class="editable" id="recordid-01234">
> This is the data from my database. It is record number 01234
> </div>
>
> If I take this example and then write some snazzy Javascript to post
> new data to the server, then I have just exposed my database. All
> someone would have to do is determine how my post is working and
> change recordid-01234 to recordid-01231 or something like that.
>
> Does that make sense?
This sounds like security through obscurity, which is generally a bad
idea. If an update to record 01231 is going to do something bad, you
should probably change your server-side process so that's no longer a
possibility rather than hiding the ID for that record and hoping no
one finds it.
Peace,
Scott
More information about the Javascript
mailing list