| From: | "Bernardo de Barros Franco" <electric_csf(at)hotmail(dot)com> |
|---|---|
| To: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: Using Random Sequence as Key |
| Date: | 2001-04-16 22:30:42 |
| Message-ID: | 9bfrg7$s14$1@news.tht.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
It is a good way to solve it but since I don't want/can't use cookies in my
application I could use only the random key but it would have to be unique
or the where key=$key could refer to multiple lines or I would have to ask
for the user to input both the random and the serial number wich wouldn't be
very good either. That's the reason I've being trying to make a random key
wich would be unique so I could ask for the user to type his order code and
then select info from orders where ordercode=$ordercode and not have the
risk of getting multiple answers (more then one line with that ordercode) or
someone typing his ordercode-1 and accessing someone elses form.
Ok, if I don't use a password or other protection even with random users can
keep trying to guess but I don't have much of a problem with someone
accessing someone else's form, I just don't want the user to let's say type
his ordercode and by mistake type the last char say 1 less then his own and
access someone else form and be completely lost. With random that still can
happen but it is so less likely that will do.
Thank you
Quoting:
> Bernardo de Barros Franco writes:
> > Hello, I was wondering if noone can help me maybe someone could at least
> > give me some directions where to look for info or where to ask:
> > I wanted to index a table by a random key.
>
> As others have pointed out, making a unique random primary key is
> tough. What I do for my cookie on my web based login system is have
> two fields in my database, one's the "id SERIAL", the other is a
> "magiccookie CHAR(16)" which I populate with 16 random characters on
> the initial insert.
>
> My cookie is then of the format "id/magiccookie". In my login
> verification code I split on the "/" character and query on "WHERE
> id=$id AND magiccookie=$magiccooke". Even though the "id" field is
> encoded in the cookie in plain text a cracker can't just guess at the
> user id number because that 16 character magiccookie needs to match as
> well.
>
> This also lets me be pretty loose about the id information, I can use
> it in other public places, because only the magiccookie needs to be
> restricted to being known by the logged in user.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2001-04-16 23:49:06 | Re: RTREE on points |
| Previous Message | Jeff Hoffmann | 2001-04-16 21:36:52 | Re: RTREE on points |