Support the ongoing development of Laravel.io →
leon13
posted 10 years ago
Security Database Architecture

I'm creating an application which allows users to register an account. Once signed in, they can then create as many "Clients" as they want.

My issue is that resourceful coding means that the urls for viewing/editing will use the primary key, and that if for example, user 1 creates clients 1, and 2. Then another user creates some more, the next id for user 1 would be 5 for example.

Is this exposure ok? confusing to the user? and if not, how would you fix it? I've seen TinyPHP for obfuscation.

Thanks!

Last updated 2 years ago.
0
andrejmk
replied 10 years ago

It should not be, if you are careful. Make sure you do not allow users to edit clients that are not theirs. Before edit or delete, check if that client belongs to the user that is making the edit/delete.

Last updated 2 years ago.
0
leon13
replied 10 years ago

Yeah i've been sure to check that with $user->clients()->findOrFail($id); before any form of action.

I've also been thinking about composite keys as alternative method to this.

Last updated 2 years ago.
0
mcraz
replied 10 years ago

Your url should not be like : something.com/1/113/edit. Rather clear like : someting.com/manager/1/client/113/edit

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

leon13 leon13 Joined 28 Feb 2014

Moderators

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX
Litslink

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise