Results 1 to 4 of 4
  1. #1
    Join Date
    Jul 2011
    Posts
    32

    Unanswered: Revealing Database User IDs in HTML

    Hi,

    Recently I read an article which stated that using database user ids for images names is a security risk.

    I read this and started thinking in general that it is possible for me to:
    1. get a user id of some other account holder

    1. login to my own account

    1. update other account's information by changing the user id in the html


    Now my question is that what are the best practices of storing user images, and revealing user ids to html output in general.

    Appreciated..

    .

  2. #2
    Join Date
    Mar 2004
    Posts
    480
    Quite simple, you don't associate user ids with the image names at all. Problem solved.

  3. #3
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    As for best practice storing user images: keep them outside the database on the file system and store a "pointer" (e.g. the filepath) to the file against the user in the database.

    As for filenames: why not use the username? If not a guid, etc. Plenty of options
    George
    Home | Blog

  4. #4
    Join Date
    Jul 2011
    Posts
    32

    Image Ids

    Yeah that's what I thought too, storing image-file-path in a table field, then using image-id as file name.

    Usernames can be used for specific images such as logos etc. but for storing multiple random images there has to be some unique ids.

    Thanks,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •