PHP Forum

**UCDaZ** · 11-02-2008, 04:51 PM

In my url i'm passing parameters like
www.myexample.com/sample.php?BusinessId=5
The 5 in this case is the primary key of the database table "business."
Should I hash the "5" or is it ok to tell the world the primary key id?
Are there any security issues I should worry about?
Thanks!

**JeremyMiller** · 11-03-2008, 03:07 AM

That should be fine depending on other, un-named aspects of your program. Hashing isn't necessary. Sanitizing your data, however, is necessary.

PHP Code:


			
$business_id = (int)$_GET['BusinessId'];

**UCDaZ** · 11-03-2008, 04:15 AM

But can't some hacker write a scrapper by incrementing the id's?
For loop from BusinessId 1...1000

**jito** · 11-03-2008, 04:42 AM

Yes there is security issues. Try URL rewrite to hide it, you can hash it( but do you really need that! ask yourself), or you can check the id with a given range ... if you are displaying data based on that id.

**JeremyMiller** · 11-03-2008, 01:59 PM

Security is rarely achieved by obfuscation. Authenticate properly if you don't want people accessing a page. Hashing isn't the correct solution b/c then anybody who has the URL will be able to access it. Make them login if you don't want it public.