View Single Post
  #5 (permalink)  
Old August 18th, 2009, 03:50 AM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts

and before returning the data from the database check that the record it matches also matches the id of the logged-in user. Is this correct?
Yes, that's exactly what I had in mind.

The GUIDs I was referring to are globally unique. This makes them great for disconnected systems that need to exchange data. That is, you and I can generate a GUID on our system, and then when we merge data later there's no risk of you and I having the same key. With a simple identity this is more than likely. (e.g. you and I can both have an ID of 10 for two separate records). However, GUIDS are used more and more to just uniquely identify a record within a single system.

If you are working with SQL Server, Guids are a built-in type called uniqueidentifier. Just like your ID / identity column you can make this ID the primary key and assign it a default value of newid(). Then when you insert a new record SQL Server creates an ID in the form of A35B61E6-54DE-4B2F-816E-9982B95D35AE for you. Other databases might have similar constructs. (Microsoft Access has something called the ReplicationID which is similar).

Guids are nnot obscured. What you see is the real ID. That is, A35B61E6-54DE-4B2F-816E-9982B95D35AE in a query string is truely A35B61E6-54DE-4B2F-816E-9982B95D35AE in the database. This means they are open, just like plain IDs such as 34 or 56. They can still be passed around as plain IDs. As OP pointed out, they are just as forwardable to somebody else as plain IDs. The only difference is that they are harder to guess. WIth an ID of 56, it's easy to guess the next one. WIth an ID of A35B61E6-54DE-4B2F-816E-9982B95D35AE, this is slightly more difficult.... ;-) But other than that, they are pretty much the same as numeric identities in terms of security.

Hope this claridfies things.


Imar Spaanjaars
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote