In my url i'm passing parameters like www.myexample.com?BusinessId=5 The 5 in this case is the primary key of the database table "business." Should I hash the "5" or is it ok to tell the world the primary key id? Are there any security issues I should worry about? Thanks!
Of course you should worry! Instead of using GET, use POST! SQL injection can get very easy if the injector finds out the businessid is the key of your database..
hi it is very important to check the respective variable of its type because you don't want anybody to pass a char if you need an integer
^Why do you POST is safe in that aspect? Can't an ill-intentioned use just see the HTML source and read the field names that you are passing? Anywayz, whether you are using GET or POST, you MUST always use the mysql_real_escape_string() functions. $business_id=mysql_real_escape_string($_GET['business_id']);//much safer $business_id=$_GET['business_id'];//may give up to a basic SQL injection attack. //Just using POST does not make it more secure! PHP: Another way to hide the id is using URL rewriting with .htaccess capabilities, but that may be difficult for you at this moment.
Yes, if you sanitize incoming data, its all OK. But I think there is a limit upto 100 characters that can be passed via GET. POST has no such limititations.
SQL injection has nothing to do with GET or POST, using a simple addon called Tamper Data, you can change GET to POST .