I have view and update url like
/project/1 or /project/update/1
the issue I see is people can hack around by replace 1 with other numbers.
What do you do ? Keep as is or make your url more mysterious(how?) ?
I have view and update url like
/project/1 or /project/update/1
the issue I see is people can hack around by replace 1 with other numbers.
What do you do ? Keep as is or make your url more mysterious(how?) ?
If you really need to make the URL less predictable, you could store hashes in a lookup table. A simple key value storage could work (hash => URL alias).
http://example.com/<hash>
Rather than obfuscation I would implement an access control function that checks if the user has the right to access the specific url. In my case I get the user id and look up in the database if the user is allowed to see the page.
For example:
class NoteController extends Controller
{
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['@'],
'actions' => ['index','preview'],
'matchCallback' => function ($rule, $action) { $user = User::findIdentity(Yii::$app->user->getId()); return $user->isStaff(); }
],
[
'allow' => true,
'roles' => ['@'],
'actions' => ['create'],
],
[
'allow' => true,
'roles' => ['@'],
'actions' => ['view','update','delete'],
'matchCallback' => function ($rule, $action) {return User::isAllowed(Yii::$app->user->getId(),'note',$_GET['id']);}
]
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
];
}
First of all, proper access checks are required as akorinek mentioned. Second, you have two options:
As artificial you can use separate hash table.
Instead of integer IDs you can use UUIDs.
thanks all.