Reputation: 4267
encrypting ids of records
In this site we have ids for categories. These are essentially the primary key of categories table. They are sequential and auto-incremental.
This id is passed around the site as hidden field, session value etc. In the backend whenever a form is submitted, or some db update is done etc, the id is validated to make sure that it has not been tampered with.
$id = $this->getPostField(cat_id);
$id = validate($id); //perform checks on the id field
I could encrypt/decrypt the id so that even if anyone looks at the hidden field he couldn't really understand its value. However my question is - is it really necessary or will I be just adding a layer of complexity which only increases the overhead without too much value add?
$id = $this->getPostField(cat_id);
$id = validate(keyDecrypt($id)); //perform checks on the decrypted id field
I guess why I am asking this is because the id is not a very sensitive data like a credit card or social sec number. It does not really matter that the user can see it if he reads hidden fields. As long as I am validating it in the backend I am assuming I should be fine (?)
Upvotes: 0
Views: 204
Answers (2)
Reputation: 6698
I don't consider this security through obscurity.
if anyone looks at the hidden field he couldn't really understand its value.
There isn't much to understand in the first place. id itself doesn't have any useful information, it just refers to a particular record.
However, since it's an auto-increment integer, it exposes information like how many categories there are. Encrypting the ids with a key makes that meta information confidential, and it does so with a well-defined secret: the encryption key. This isn't security through obscurity, because even if people knew the exact scheme, they still couldn't figure out the category count without the key.
Upvotes: 0
Reputation: 969
You can, too, add an uniqid to every Category, and check if id + uniqid are linked to a category. This uniqid can even be the slug, for example
But it looks like to be an overhead, if someone really wan't to change something client-side, it is still possible. As long as you check server side, it's good. And as you save it in the session, it's quite fast and easy.
As said above in comments, it's security through obscurity, and it won't protect you for long if the attacker really wan't to.
It's up to you to see if it's valuable to use the id, another field, or encrypt it ... (you may also hash it, as the id is stored in session :-))
Upvotes: 1
Related Questions
- How to secure the id that are passed in a URL?
- How to encrypt ID value from database with library encryption codeigniter?
- what is a good way to encrypt a id in a url?
- Cryptographically secure unique id
- Cryptographically secure and unique string in PHP
- Encrypt & decrypt in PHP: fast, short, valid HTML ids & URL safe
- how to encrypt and decrypt ids in javascript and php
- Storing Data Securely using PHP
- Encrypt/Encoding an ID in URL string
- Encryption: how to have 1 iv despite multiple fields