|
|
|
|
|
|
by drumdance
3666 days ago
|
|
|
Yes, of course that's what needs to happen. And that's what I do when I'm the one doing the implementation. But a junior dev just out of code school doesn't necessarily think of this. So when I ask one to build the basic scaffold and db schema I say "make sure you use UUID," then later I show them how security holes like this can manifest. I've seen this security hole so many times in other sites that I feel like it's a good first principle to limit "guess-ability" in the schema wherever possible. |
|
|