evaluating the security risk of exposing a row's identity in the querystring

Question

Is it a security risk to expose the ID number of a SQL row?

For example, there is an event with an ID of 12.

Is it a security concern if someone accesses it via http://example.com/events/12, or someone makes a POST to http://example.com/events/12 in order to update that record (assuming I allow this of course)?

Answer 1

The problem of exposing ID's to users is often referred to as "insecure direct object references" in a web security context.

From OWASP:

Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):

1. Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP’s ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references.
2. Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

A defense in depth approach would be to do both 1 & 2.