I searched lot on net. I got the idea that using int as primary key for my table will give more performance on indexing and fast retrieval.
But why do I want to go for Varchar? I have an API for my app. If an intruder finds my response that includes my primary key, they can easily know what is my next record.
Suppose I am using some random number for primary key just like this "BxVaxwuswl" they can't figure out what will be my next record.
Am I going in the right direction? Kindly guide me here.
Like @lorthirk said, you should probably work on securing your APIs in other ways. But if you decide to go with UUIDs then, I'm not that experienced with databases, but here's what I can gather from some quick googling:
varbinary instead of varchar. varbinary is more efficient because it stores the data internally as a number and therefore also uses up less space. (One such setup is described in this blog post).By the way, all the above applies only to relational databases (and perhaps not to all of them?). It's mainly because the databases weren't designed with UUIDs in mind. Some of the newer databases like MongoDB use UUID primary-keys by default. Not to say that you must use them or anything, but it's good to keep that in mind 😉
If I was an intruder I wouldn't mind about your next item -- I already would have the current one to harm your database. So I really can't get the point in this: having a varchar indexed instead of an int will just make your indexes bigger. How about, instead, securing your APIs so that no one can harm your data?
Mario Giambanco
Director of User Experience Development
As others have said - look into securing your app in other ways.
Take this query for example: stackoverflow.com/questions/1446821/how-to-get-ne… select * from foo where id = (select min(id) from foo where id > 4)
That query technically wouldn't care if it was querying an INT or Varchar (replace the 4 with a string) - it'll pull the next record based on whats passed in. > can still apply to strings; they'll just be sorted alphabetically, not numerically.
Your goal is to stop (select min(id) from foo where id > 4) from being injected into the app. Any (all) input fields when using SQL should be sanitized.