hiding id from url

Thanks for your support @Laralex !

Yes, many developers prefer uuid, but i guess i have to modify all my migration tables by adding uuid column, right ? which is not practical when i want add it for an app in production mode, the second thing, is that uuid can slow the performence as it generates a long string encryption, but its recommanded when using multi dbs.

check if it does exists in database as an id. If doesn't exist - throw 404. this sounds good if its secure

Thanks @MohamedTammam for your help !

I'm sending IDs from blades via update,create,show, forms to controllers, and vise versa, and i don't want to expose IDs in url traffic which make my app vulnerable to attach, i'm looking for a way that i hide IDs on fly

@Zoul How does your id exposing make your app vulnerable? are you not protecting your app from that kind of thing? For example, you can easily validate your delete function so that the correct person deletes the correct data whether the id is exposed to them or not. so what vulnerability actually your trying to point out?

@Zoul How is it going to be vulnerable if you show the id?

Thanks for your support @iftekhs !

Let me take the id of 2 as an example that is being sent from blade to controller, and send the id back again with more the exact record, this id looks like this in url:

http://www.exmaple.com/blog/2
http://www.exmaple.com/user/2
etc

Are you saying that, leaving the id in url is save ? If that is correct, why developers are using uuid or ecrypt ids to hide them from url ? Thanks

@Zoul click the My participation link, you do not see an ID, you can use the auth id. Using the ID in the URL it's not applicable in that case.

Thanks @MohamedTammam for your help ! I don't know if exposing IDs in url is not dangerous, i'm about to secure my app before deplying it in production, and i found developers talking about uuid, ecrypting ids that should be hidden from url, Do you think, if i'm sending id number 1 which passes through url as 1 and getting it in controller and then check and getting its reocrd from db and send it back again in blade, is save ?

thanks @jlrdw for your support ! If i got you correctly, you are saying, when authenticating users, its not applicable, but what is for when using other data, like blogs etc, does not that matter ?

Yes, you should do some kind of validation for those sort of things that you've mentioned. People use id / slug / UUID / GUID in urls and it is totally fine.

About UUID, GUID and IDs topics, you can read here - https://blog.boot.dev/clean-code/what-are-uuids-and-should-you-use-them/. - take note at "At the end of the day, all UUIDs are IDs, but not all IDs are UUIDs." :-)

@Zoul There's no security issue here. People use something different than the id for different cases.

For example, slugs for better seo, uuid to prevent users to find the order of records, for example if you see blog/2 you know that the next blog is blog/3 etc.

But there's no a security issue by exposing the id.

@Zoul you have two main situations of updating:

• A user can update their data (like a reply here)

In that case the auth id is verified via authorization to make sure the correct id is used.

• A know trusted person is updating something (like a trusted admin)

In that case it is safe to use the id in the url but authorization is still used.

An example an admin is updating some employee data. If authorization and query scopes are used you really don't need uuid's.

@Zoul I recommend you check this out -> https://stackoverflow.com/questions/396164/exposing-database-ids-security-risk

thanks a lot for your valuable time @dincho186, its very good article explaining uuid, i'm trying to avoid using uuid if i find another option, although its the most recommended,

thanks a lot @jlrdw for your help ! I was not aware of that, no need to use use any kind of uuid's when the user is authenticated, thank a lot

thanks a lot @iftekhs for your efforts and support ! Very informative discussion about uuids,GUIDs and ids,

thanks alot for your support @MohamedTammam, People use something different than the id for different cases. you are right, as others confirmed that for authenticated user no need to use uuids,guids or hashids but other than that, its not recommaed to expose ids in urls

@martinbean can be a security issue if it means someone can just create a script to enumerate your IDs and scrape your data. -> Unless you have correct authorization and validation right?

Thanks a lot @martinbean, i guess i will finally use hashids, which takes less memory usage than uuids

@iftekhs

Right.

It's just a way of penetration testing.