[Javascript] Maximun length of an id
Matt Warden
mwarden at gmail.com
Tue Sep 11 13:10:06 CDT 2007
> From: Terry Riegel <riegel at clearimageonline.com>
> I think I can illustrate by showing an example without an encrypted id.
>
> This is the data from my database. It is record number 01234
>
>
> If I take this example and then write some snazzy Javascript to post
> new data to the server, then I have just exposed my database. All
> someone would have to do is determine how my post is working and
> change recordid-01234 to recordid-01231 or something like that.
>
> Does that make sense?
I fail to see how this scenario is an issue. Either the logged-in user
has authorization to "do something" to record 01231 or she doesn't. If
she doesn't, then the operation will fail. If she does, who cares if
she uses the proper interface or spends a lot of time doing the same
operation much more difficultly?
--
Matt Warden
Cincinnati, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the Javascript
mailing list