var sidebar_align = 'right';
var content_container_margin = parseInt('290px');
var sidebar_width = parseInt('270px');
Unanswered: Revealing Database User IDs in HTML
Recently I read an article which stated that using database user ids for images names is a security risk.
I read this and started thinking in general that it is possible for me to:
- get a user id of some other account holder
- login to my own account
- update other account's information by changing the user id in the html
Now my question is that what are the best practices of storing user images, and revealing user ids to html output in general.
Quite simple, you don't associate user ids with the image names at all. Problem solved.
As for best practice storing user images: keep them outside the database on the file system and store a "pointer" (e.g. the filepath) to the file against the user in the database.
As for filenames: why not use the username? If not a guid, etc. Plenty of options
Yeah that's what I thought too, storing image-file-path in a table field, then using image-id as file name.
Usernames can be used for specific images such as logos etc. but for storing multiple random images there has to be some unique ids.