How should DB entity IDs be managed to avoid security risks in a performant way?

Question

Let\'s suppose I have a small website where users can public book reviews. So, in the server code we have somewhere something like this:

Answer 1

Yes, there is a better way. Keep your integer IDs internal and never expose them to the clients.

One thing I did in the past, several times even, is to add a GUID column while keeping the original int IDs. Your back-end can still function using the int IDs, but when it comes to exposing data to the client, at that point you only send the GUIDs and never make the int IDs public. If a request is made from the browser, it will come with the GUID at which point you can obtain the int ID if you need it for something.

So, you're not changing your primary keys, all you do is add a new GUID column and then expose that to the clients.