Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming not using auto_increment id fields
not using auto_increment id fields
  • El Forum
    Guest
  •  
#1
02-13-2008, 08:45 PM

[eluser]bobqphp[/eluser]
I'm working on a little project now and wanted to use random character strings for user IDs and data object IDs, instead of auto-incrementing numerical IDs. is this considered bad practice? these web frameworks seem to be built on the premise of using the auto-increment IDs so I don't want to deviate from the standard without good reason.

speaking of which, my reason is that since user/object IDs are part of urls, I don't want someone to try iterating through data. for example, think of a photo-sharing site where photo pages looked like /view/3634/192462 where 3634 was the user's ID, and 192462 was the photo's ID. assuming a low-traffic site, it's plausible that if a user uploads multiple photos in one session they'd all have near-sequential IDs.

maybe I'm just getting paranoid over nothing, but I do like that random strings look, well, random. am I crazy?
  • El Forum
    Guest
  •  
#2
02-13-2008, 09:14 PM

[eluser]ejangi[/eluser]
I kind of understand what you're wanting to do, but if it's for security reasons you really shouldn't be relying on a random string alone. Personally, I would be using a username instead of a user-ID and the photo-ID thing I personally wouldn't be too worried about. In anycase, you should be checking to see that the photo belongs to the requested user also, otherwise you'll get wierd data display bugs (Like a photo being displayed by the wrong publisher).

With your photo-sharing example, perhaps the photo-ID in the URI isn't the primary-key of the DB, but the users' photo sequence, so each user has their own photo 1, 2, 3, 4 - does that make sense??? I dunno, I just don't think I'd be that worried about people trying to jump through things sequentially.

If you really want a random ID, I'd try something like:
Code:
$id = uniqid(rand(),true);
// or even:
$md5_id = md5(uniqid(rand(),true));
  • El Forum
    Guest
  •  
#3
02-13-2008, 09:17 PM

[eluser]Eric Cope[/eluser]
Have you looked at sessions to keep visitors in their designated areas?
I have found CI's sessions to be very easy to use...
  • El Forum
    Guest
  •  
#4
02-13-2008, 09:53 PM

[eluser]Sean Murphy[/eluser]
No, you're not crazy. This is something I'd like to experiment with myself. Using a GUID as the primary key will allow you to easily shard your tables across multiple servers without causing collisions.
  • El Forum
    Guest
  •  
#5
02-13-2008, 10:27 PM

[eluser]bobqphp[/eluser]
thanks for the replies. thinking of it is a GUID is a good idea. regarding user accounts and sessions, I'm actually a username/password concept. instead, I'm giving a user a random string (or GUID) as an ID. sounds unconventional, but it's a very simple project so it works. so in the photo-sharing example, your "account" is accessed via a url with your GUID in it (it's not really user-centric, but I want visitors to have a trivial way of keeping track of their submissions). and I definitely would check that the user-GUID owns that photo-GUID.

there's really no serious security consideration since there's no passwords or anything worth stealing, but for some reason I like the GUID string aesthetically Tongue




Theme © iAndrew 2016 - Forum software by © MyBB