Is it secure to put the user id as a url parameter?

限于喜欢 提交于 2019-12-22 09:25:15

问题


I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?

I want the url to be bookmarkable. Should I put another thing instead of the user id?


回答1:


In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk

What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.




回答2:


most socialnetwork i've been using, use username as url not id, of course it also affects seo, since u have "pretty url".

Security is really depend on how you write your code, say there is a page to edit-profile, if you put on your code something like: UPDATE .. SET .. WHERE id = $_GET['id']

no question it's dangerous, you should check every user action, like posting/editing profile, etc. who is login, not what's the id on current url




回答3:


It is secure if you secure your website against sql injection. But if breach happens all users are vunerable. Only thing that hacker needs to do is find the user profile get his id. Copy output of sql injection. Go to text editor. Press ctrl - f and search for user id.



来源:https://stackoverflow.com/questions/38551448/is-it-secure-to-put-the-user-id-as-a-url-parameter

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!