Results 1 to 7 of 7
  1. #1
    Join Date
    May 2004
    Location
    Seattle
    Posts
    1,313
    what exactly are you protecting if you do this? it seems to me you are only exchanging a small number for a much bigger number, and also introducing a heavy perf cost to your query. I don't see any benefit.

  2. #2
    Join Date
    Oct 2002
    Location
    Baghdad, Iraq
    Posts
    697
    The only thing I can see you gaining by using a hash of the ID is so that user 5 can't say "hm, I think I'll log on as user 6."

    If you need to obscure logins, generate a session id each time they log in, and store the login credentials in the session table. You can also store a random number in the session table to prevent someone from hijacking someone else's session. (The random number really doesn't need to be bigger than 32 bits...) None of this requires any MD5 stuff. (BTW, MD5 is obsolete. Use SHA256 if possible.)

  3. #3
    Join Date
    Sep 2005
    Posts
    67
    That's a great idea!

    You're right: the idea is not let users know their users id's.
    I'm like to add a new table and generate random integers for every session.

    Thanks!
    Diego.-


    Quote Originally Posted by sco08y
    The only thing I can see you gaining by using a hash of the ID is so that user 5 can't say "hm, I think I'll log on as user 6."

    If you need to obscure logins, generate a session id each time they log in, and store the login credentials in the session table. You can also store a random number in the session table to prevent someone from hijacking someone else's session. (The random number really doesn't need to be bigger than 32 bits...) None of this requires any MD5 stuff. (BTW, MD5 is obsolete. Use SHA256 if possible.)

  4. #4
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    ...and why in the world would you want to use "LIKE 'c4ca4238a0b923820dcc509a6f75849b'" anyway? Better take a few minutes and refresh yourself on the use of the LIKE operator.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  5. #5
    Join Date
    Nov 2002
    Location
    Jersey
    Posts
    10,322
    I like X002548, personally

    in what platform are you doing this?
    Brett
    8-)

    It's a Great Day for America everybody!

    dbforums Yak CorralRadio 'Rita
    dbForums Member List
    I'm Good Once as I ever was

    The physical order of data in a database has no meaning.

  6. #6
    Join Date
    Sep 2005
    Posts
    67
    Hi.

    What's wrong using LIKE ?
    I know it's better to use ID (it's smaller). However, the idea behind this is not to let users known their id's.

    Thanks..

    Quote Originally Posted by blindman
    ...and why in the world would you want to use "LIKE 'c4ca4238a0b923820dcc509a6f75849b'" anyway? Better take a few minutes and refresh yourself on the use of the LIKE operator.

  7. #7
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    You didn't use any wildcards in your LIKE statement. It was equivalent to an "equals" comparison.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •