Josh Berkus <josh@agliodbs.com> writes:
> Mark, Nathan,
>
> I'm moving this over to the PGSQL-SQL list, away from -hackers, as it's no
> longer a -hackers type discussion. Hope you don't mind!
>
> > On Wed, Sep 07, 2005 at 11:31:16AM -0700, Josh Berkus wrote:
> > > I'm also a little baffled to come up with any real application where
> > > making an id number for most tables "unguessable" would provide any
> > > kind of real protection not far better provided by other means. For
> > > your "users" table, sure, but that's a very special case.
> >
> > It should never be the sole means of defense, however, it can be quite
> > effective at prevention.
> >
> > For a rather simple example, consider a site that associates a picture
> > with each member. If the pictures are named 1.jpg, 2.jpg, 3.jpg, etc.
> > it makes it ridiculously easy to write a script to pull all of the
> > pictures off the site. This can be bothersome, as the only type of
> > person who would do this, is the type of person with an illegitimate
> > motivation. I want the data to be easily and freely accessible as
> > specific objects, but I do not wish to provide an easy way of
> > dumping all of the data as a unit.
Of course you could have just done the same thing using an hmac (or a simple
hash like crypt) and not had to store an extraneous meaningless piece of
information in your database.
--
greg
