I'm using PHP, AS3 and mysql.

I've got a website. A expensive(as3) website. The expensive website keep members' information in mysql database through php. In "people" table, i've "id" because the primary key and "username" like a unique area.

Now my situation is: When expensive wish to display a member's profile. My questions:

  1. Should Expensive pass the member "ID" or "username" to php to process the mysql query?

  2. Can there be different passing the "id" or "username"?

  3. Which is much more secure?

  4. Which you recommend?

I must optimize this site when it comes to security and gratifaction.

The main secret is always the most secure way of determining database rows. For example, you might later convince you and permit duplicate usernames.

For the way your ActionScript is interacting with PHP, it'll likely also require delivering less bytes should you send an integer ID inside your request as opposed to a username.

1) Neither is inarguably the one thing it should do.

2) The ID is most likely shorter and minisculely faster to find information about. The ID provides a little more details about the body knowing that the site uses serial IDs whatsoever, and guess what happens one of these is, that's virtually just like knowing these, whereas knowing one username doesn't let you know the usernames associated with a other customers. However, the username is much more revelatory from the user's psychology and could constitute your password hint.

3) Have very marginal pitfalls, as referred to in item 2.

4) I'd make use of the ID.

Most likely you need to get thoroughly acquainted with "PHP Periods", maybe utilizing a framework that already has this in position, since it is non-trivial and you won't want to screw it up. The session store will handle all of this for you personally, including login screens, "I didn't remember my password", etc.

You'll be able to direct your attention on which your internet site is really mainly there for.

Seems like fun (actionscript + php + mysql) - best of luck!

Arguments for passing id number:

  • People never change their id. People do change their names. For an informal games site with disposable accounts, that is probably not an issue, however for lengthy-term registered customers it may be. I have needed to handle a requirement by an upset lady that her ex-husband's surname be cleared from her user title. A procedure for carrying this out needed to be quickly established!

  • Shorter

  • Simpler to index and partition.

Arguments for passing user title:

  • Slightly harder (although not impossible) to guess a legitimate, existing account - e.g. to peruse random individuals records, if that is your factor.