在请求和响应中使用行ID设计api
[英]designing api using row ids in request and response
问题描述
is it a good practice to give row ids in api response and using row ids in api request queries. 
在api响应中提供行ID并在api请求查询中使用行ID是一种好习惯吗?
whether to use uniquely generated key instead of row ids for api. 是否对api使用唯一生成的键而不是行ID。
Are there any security issues in using row ids 使用行ID是否存在任何安全问题
1 个解决方案
解决方案1
1 已采纳 2014-03-28 10:39:35
It is commonplace for returned entities to have a unique identifier attached to them. 返回的实体附有唯一的标识符是很平常的事。 This is typically, but not always, the same as a unique database identifier. 通常,但并非总是与唯一数据库标识符相同。 If exposing the unique database id is a security issue, it's almost always because an attacker is able to write SQL to your database. 如果公开唯一的数据库ID是安全问题,那么几乎总是这样,因为攻击者能够将SQL写入数据库。 In that case, you're better served patching the SQL vulnerability, since the attacker can trivially get unique ids in that case anyway. 在这种情况下,最好为SQL漏洞打补丁,因为在这种情况下,攻击者可以轻松获得唯一的ID。
There is a good argument for using non-linear ids, as it prevents an attacker from walking through all your data looking for parts of the API you forgot to secure. 使用非线性ID有一个很好的论据,因为它可以防止攻击者浏览所有数据以查找您忘记保护的API部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.