Is it secure to put the user id as a url parameter?

大憨熊 提交于 2019-12-05 16:08:05
Darin Dimitrov

In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk

What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.

most socialnetwork i've been using, use username as url not id, of course it also affects seo, since u have "pretty url".

Security is really depend on how you write your code, say there is a page to edit-profile, if you put on your code something like: UPDATE .. SET .. WHERE id = $_GET['id']

no question it's dangerous, you should check every user action, like posting/editing profile, etc. who is login, not what's the id on current url

It is secure if you secure your website against sql injection. But if breach happens all users are vunerable. Only thing that hacker needs to do is find the user profile get his id. Copy output of sql injection. Go to text editor. Press ctrl - f and search for user id.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!