9

I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?

I want the url to be bookmarkable. Should I put another thing instead of the user id?

Aliuk
  • 1,249
  • 2
  • 17
  • 32

3 Answers3

23

In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk

What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
0

most socialnetwork i've been using, use username as url not id, of course it also affects seo, since u have "pretty url".

Security is really depend on how you write your code, say there is a page to edit-profile, if you put on your code something like: UPDATE .. SET .. WHERE id = $_GET['id']

no question it's dangerous, you should check every user action, like posting/editing profile, etc. who is login, not what's the id on current url

MisterCat
  • 1,531
  • 3
  • 13
  • 23
0

It is secure if you secure your website against sql injection. But if breach happens all users are vunerable. Only thing that hacker needs to do is find the user profile get his id. Copy output of sql injection. Go to text editor. Press ctrl - f and search for user id.

Technology Exposed
  • 33
  • 1
  • 7
  • But hackers could do the same with any other data instead of the user id, couldn't them? – Aliuk Jul 24 '16 at 14:32
  • Your answer lacks a great deal. The issue is not only SQL injection, but insecure direct object references in addition to the operational security issues posed by directly exposing any database ID in a URL. – David Hoelzer Jul 25 '16 at 11:31