(05-10-2016, 02:24 PM)cartalot Wrote: Quote:Let's say I have a Controller and a View where you can edit a customer (where 123 is the customer's unique ID):
/customer/edit/123
do not do this. i know its in almost every api tutorial to do it this way - but if you have any choice at all do not because exposing the customer id, or a db record id in the URL for a page that you need to be logged in to access - is insecure.
No it's not, at least not in most cases.
It's a minor information leak at best, and could be classified as such solely because of the logical argument that, if something requires login to be seen, it is therefore a secret to unauthenticated users.
Following this line of logic, anything that is accidentaly seen by outsiders is an information leak - even silly stuff like visitors count for the past hour.
You need to perform risk assessment (a fancy term for "think about potential dangers") to really know if leaking a single customer ID could be harmful in any way, but chances are that (unless you require login for all users) you'd have totally public links exposing the same IDs anyway, making the above argument void.
Even if you decide that exposing these IDs is indeed a risk, API design is not the issue; it's the scheme used to generate the IDs in the first place.
Speaking of which, a potentially way more serious issue (and possibly the reason why you've heard/read the advice you're echoing here) is using such
numeric, sequential IDs, especially when authentication is
not required.
It doesn't matter if they appear in a URL, a POST form field, etc. It's the IDs deterministic nature that can bite you ... Imagine a dating site using the very popular AUTO_INCREMENT-ed integers for user ids, and without any further safe-guards, using the same IDs to name uploaded user pictures - a one-line command would be able to download ALL pictures on the website, resulting in a major privacy breach.
(05-10-2016, 02:24 PM)cartalot Wrote: and make the method private like _editcolors()
Nitpicky, but ... s/private/inaccessible/
Terminology is important.
CodeIgniter may prevent controller methods prefixed with an underscore from being publicly accessible, but that's just a legacy feature left from the PHP4 era when the underscore-prefixing convention was used to denote methods that
shouldn't be called from outside of that class.
Technically, it's just an informational thing; CI developers at the time have decided to make it functional due to lack of better alternatives.
But we're in the PHP7 era now and "private" has a specific meaning. Also, making controller methods really private by using the keyword works just fine - you don't need to prefix those with an underscore and they still won't be routable.
