Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • by gav (2710) on 2003.04.29 14:13 (#19581) Homepage Journal
    How do you work around that? For example, if you were showing a list of things to a user and wanted them to select something, I'd have internal IDs visible. They'd see:
    /script/select?id=1
    I'm not quite sure what the problem is, they could always edit the url to change the ID but there should be no chance that they can work around permissions this way.
    • Re:interesting (Score:3, Interesting)

      Sorry, I was unclear. The id is typically in the URL or in a hidden field and that's fine, but it shouldn't be showing up in a table. It's not information that the user needs or can do anything with, but it can be tiring telling the user that it really doesn't mean anything and "no, you can't change it".

      • Re:interesting (Score:2, Informative)

        That makes more sense now :)

        I worked on a system where the client was paranoid that people were able to see database IDs in hidden fields and change them. I wrote an extra layer that used 8 character random strings as IDs and it was a huge PITA.