Using users id's in url query?

Hi all,

Is it considered bad practice to use a user id in the url e.g.

Should you encrypt this information (md5)?



I am so gonna get wrist-slapped for this…

No, it’s not, as long as you’re not using this as an identifier; that is to say, id=6 doesn’t identify the person surfing.

MD5 is a one-way encryption anyway, so you’d have to run an encryption on the user id field, which would be slower.

That said - your database field name doesnt have to be ‘id’, to match up with that get value.

So long as your taking all the other security precautions necessary it won’t be a problem. Now, if your site has security holes in it, of course it may become an issue.

Thanks for your replies guys,

In this case id is the primary key, is this now an issue?

By other security, you mean validation against injection etc

Thanks guys


Since you are talking about the users, it matters who is going to access this url/page. If it is the super admin (who has access to manage the users even delete) then I think there should not be any problem. But still to be in safe side, it is better to submit a form with hidden field containing the ID. Otherwise if it is going to be accessed by a logged in user then it is not necessary to pass it through the url. You can store it in the session and get it whenever you need it.

So if you elaborate your scenario then more precise solution can be suggested.