Obscuring Record IDs in linksBackground
neatComponents provides a database model based around Forms (ie tables) and Records. When you want to display a particular record on a 'details' page, a typical method is to embed a Query on that page, and then use another Query on another 'index' page to provide a list of records, linking to the details page. To identify which record to display the link contains a parameter in the url's querystring of the form replyid=n where n is an integer identifying the record.
The issue
In some cases you don't want people to access all the records in the Form, only the subset listed in the 'index' Query. There is a risk that a visitor would substitute the number in the replyid parameter with another, until they found the record they were looking for.
The solution
To prevent this we need to use an alternative to the ID, which is not a simple integer, but which is unpredictable. However we don't want to have to manually invent such values for each record – it needs to be automatic.
The Installation ID datatype does just this: it autocreates a randomised unique string, which can be used instead of the Record ID in the link in the 'index' Query.
Implementation
- Add the Installation ID field to the Form.
- Add the Installation ID field to the 'index' Query (but it doesn't need to be set to 'show')
- In the linked field in the 'index' Query, change the Parameter to custom, and select the Installation ID field (only)
- Add the Installation ID field to the 'detail' Query (again, it doesn't need to be set to 'show')
- In the Embed of the 'detail' Query, set the Criteria to include the Installation ID to equal Page Parameters.
| 
