Stopping people from brute forcing URL / UUIDs

[eluser]jedd[/eluser]
[quote author="RS71" date="1237787495"]I hadn't thought of the IP ban on invalid IDs, very nice. I'd need non-sequential IDs for that to work nicely.[/quote]

You could have honeypot ID's. Though this would be ugly - it's getting very complicated for something that should really be handled a proper ACL/permissions system.

Wouldn't encrypting the IDs need lots of processing power since for every item for every user viewing the site

I'd do it at ID creation - probably using md5 to create the second column (right next to ID) and using that new md5 field for all public references (ie. URL components). You'd want to salt it, if you did it that way, of course, and not just base it on md5('1') (etc).

The base64 stuff was, I think, to ensure no nasties in the URL. MD5 offers the same feature, of course.


But remember, at the end of the day, we are not enamoured with security by obscurity.