Comments on: There is more than one way to do it…. http://www.pythian.com/news/4155/there-is-more-than-one-way-to-do-it/ News and views from Pythian DBAs Sat, 20 Mar 2010 20:27:09 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: Sheeri Cabral http://www.pythian.com/news/4155/there-is-more-than-one-way-to-do-it/#comment-377309 Sheeri Cabral Tue, 29 Sep 2009 19:08:20 +0000 http://www.pythian.com/news/?p=4155#comment-377309 Shlomi -- I appreciate the information! I wonder if the law is "no auto-increment" period, or "no easy way to get the data" -- in the US laws are more like the latter, and thus it's OK for the suggestion. Plus, I like to put out all possible suggestions, and then discuss the pros and cons. For example, solution #4 wasn't a possibility because this company is very small and doesn't have another server to put another database on. There's many reasons why one solution will work better or won't work at all -- the idea is to start with all the ideas, and work from there. (and yes, ideas may include "move to a different database like Postgres" or "keep the info in a text log file" too). Shlomi — I appreciate the information! I wonder if the law is “no auto-increment” period, or “no easy way to get the data” — in the US laws are more like the latter, and thus it’s OK for the suggestion.

Plus, I like to put out all possible suggestions, and then discuss the pros and cons. For example, solution #4 wasn’t a possibility because this company is very small and doesn’t have another server to put another database on. There’s many reasons why one solution will work better or won’t work at all — the idea is to start with all the ideas, and work from there. (and yes, ideas may include “move to a different database like Postgres” or “keep the info in a text log file” too).

]]> By: Shlomi Noach http://www.pythian.com/news/4155/there-is-more-than-one-way-to-do-it/#comment-377294 Shlomi Noach Tue, 29 Sep 2009 17:41:39 +0000 http://www.pythian.com/news/?p=4155#comment-377294 Sheeri, I'm assuming hacker couldn't get direct access to db, but rather use XSS/SQL injection. Anyway, I'm just sharing this information. If I'm not mistaken, this law was from Germany. Sheeri,

I’m assuming hacker couldn’t get direct access to db, but rather use XSS/SQL injection.

Anyway, I’m just sharing this information. If I’m not mistaken, this law was from Germany.

]]> By: Sheeri Cabral http://www.pythian.com/news/4155/there-is-more-than-one-way-to-do-it/#comment-377293 Sheeri Cabral Tue, 29 Sep 2009 17:15:16 +0000 http://www.pythian.com/news/?p=4155#comment-377293 Shlomi -- but a hacker can only get information by primary key if the primary key is *used* in a retrieval system. The suggestion was to keep everything as it is, but change the primary key to an auto_increment -- lookups, etc are still done by GUID. The code wouldn't change, so hacking into the code wouldn't allow a hacker to use the "simple" number -- it is transparent to the code. And if the hacker hacks into the database, they can just do SELECT * FROM tbl LIMIT x,y to get values. Shlomi — but a hacker can only get information by primary key if the primary key is *used* in a retrieval system. The suggestion was to keep everything as it is, but change the primary key to an auto_increment — lookups, etc are still done by GUID. The code wouldn’t change, so hacking into the code wouldn’t allow a hacker to use the “simple” number — it is transparent to the code.

And if the hacker hacks into the database, they can just do SELECT * FROM tbl LIMIT x,y to get values.

]]> By: Shlomi Noach http://www.pythian.com/news/4155/there-is-more-than-one-way-to-do-it/#comment-377291 Shlomi Noach Tue, 29 Sep 2009 16:45:10 +0000 http://www.pythian.com/news/?p=4155#comment-377291 Hi Sheeri, Good writing. I've actually worked with a European company who told me that according to some law, user data *must* be identified by GUID (or otherwise 32 hex digits), so as not to have a "simple" number, possible auto-increment, which can be used by hackers to look for users' data. Meaning, the purpose was to make it harder for hackers to get people's details by guessing their primary key value. Regards, Shlomi Hi Sheeri,
Good writing. I’ve actually worked with a European company who told me that according to some law, user data *must* be identified by GUID (or otherwise 32 hex digits), so as not to have a “simple” number, possible auto-increment, which can be used by hackers to look for users’ data.
Meaning, the purpose was to make it harder for hackers to get people’s details by guessing their primary key value.

Regards,
Shlomi

]]>