If you're using plain integer id's for your records, obfuscating the id's from the general public might be a good idea. You can use UUID's but that's not always possible, for instance, if you're working on a legacy project and don't want to fiddle with the database (yet).
Obfuscating id's can get handy. Basically, what it means is you can turn id's into random strings and back. For instance, you can turn `243242` to `cds7rk23` and turn `cds7rk23` back to `243242`. There are libraries that handle this, like Tiny for php by Zack Kitzmiller.
Why would you want to do this? Well, if you have URL's like `http://myapp.com/api/user/1245` it's pretty easy to guess that there probably are users with id's 1-1245. And if this is a public API, it's even more improtant. If you can guess all the data endpoints it's possible that someone is able to pull out all the data through your API. That could be your goal but in many cases it's probably not.
If you use obfuscating the url could look something like `http://myapp.com/api/user/7Hc6dl3` which is a lot more difficult to guess. And it makes it close to impossible to try to guess all the other id's available.
October 29, 2015
© 2024 Jackdaw's Nest