I have a few entities in my database where I have decided not to use an autoincrementing integer ID as primary key, modifying the auto-generated schema, routes, etc. to work with this. Instead, the primary key is a string.
As a result, show page routes now look like /entity/string_pk
, where the string_pk is the primary key to use to fetch the record.
I have done this for convenience and simplicity, but worry about the possibility of SQL injection attacks, where the string_pk is replaced by plausible injection strings which Ecto will immediately SELECT
for.
Is this a realistic problem to worry about, necessitating a return to integer IDs, or the use of some kind of intermediate string sanitisation in the chain?