Which is better NEWID or Encrypted ID?
I have an application that allows users to register for events. The database (SQL Server) has names, email addresses, addresses and phone numbers.
I pass id information via the query string (for example event.aspx?id=____). Presently I am using the "unique" identifier provided by NEWID() and the performance is great.
I was debating whether or not this is a reasonably secure approach. Should I encrypt the id values and pass that in the query string instead? For example instead of generating the unique id by using NEWID I would take the integer value that is in the primary key column and encrypt and decrypt that as needed in the application.
I have done this and noticed a performance hit. Any thoughts?
passing an anonymous key is perfectly fine. What's more of a risk is SQL injection attacks, but if you are taking precautions (e.g. using stored procedures, parameterized SQL etc...) you should be fine.
If someone can change the value of id and still register (thus altering/viewing someone else's registration information), then yes, you have a problem.
If you are ensuring that a person can only modify their own registration, then you likely do not have an issue. In this case, you could use the SQL ID column anyway instead of generating a NEWID() (unencrypted -- what is the threat if they know the ID?). If only the correct person can modify/register then revealing the ID shouldn't be a concern. Though I'm curious though as to why a simple encrypt/decrypt is negatively impacting performance.