Django为每个表自动生成了id字段,但这个问题跟Django联系不大。
假设有一个Article表,包含主键,那么我在url访问时直接使用该表的主键id,从安全性和性能方面考虑,这样好吗?比如说,Article表中有一条记录,id为10051,而网址http://example.com/article/10051来显示该文章。
这样做能方便用户访问,因为知道某个文章的id,可以猜测其他文章的id来访问不同文章,但是直接把主键暴露在url中,会不会让黑客很容易能猜到数据库的结构从而引起安全方面的问题。
这样的应用场景,有没有什么要注意的或者一般方案呢?
PHP中文网2017-04-17 15:16:17
There is nothing wrong with it. But consider the scenario. For example, in 电商系统, if you check the order number and the auto-incremented primary key is exposed, it will undoubtedly expose the sales situation of the platform, which is undoubtedly excellent information for competitors. But as for security, there is nothing worth noting. It is nothing more than preventing injection. Another example is a multi-user blog system. If the ID is exposed, it will undoubtedly reveal the total number of registered users, total number of articles, total posts, number of comment replies, etc. of the platform. It also has no impact on safety.
巴扎黑2017-04-17 15:16:17
It’s not a big problem if it’s public. But if permissions are involved, for example, id A cannot be seen by user
伊谢尔伦2017-04-17 15:16:17
Your worry is mainly about preventing hackers from intruding.
Why not look for information on this?
For example: PPTP, L2TP, SSL,...?
阿神2017-04-17 15:16:17
Just add a random salt to the hash, and the random salt can be stored directly in the client session in clear text.