Use more secure record IDs in URL Parameters for Linked Record Fields

I would like to see any sort of URL parameter for Linked Record fields to use a longer, more secure value that could not easily be guessed.

Since Noloco uses ordinal values, when using its public forms feature, it is easy for users to guess at alternative IDs for URL Paramters passing a linked record field value.

Users could easily add or subtract 1 from a URL parameter and potentially see exposed data from another user.

This vulnerability isn’t an issue with internal tools, but any external form becomes a problem.


This is just in reference to Noloco’s IDs right? Guessing so since you said “subtract or add 1”.

Cause with Airtable, though they’re in recXYZ format, it’s pretty needed in the event that you’re trying to, for example, automate sending an email with a link to a particular page and record.

Just making sure I understand, but if we’re on the same page I totally agree! This would be a solid change.

Correct. This is in reference to the Noloco IDs. These are the IDs referenced in URL parameters if wanting to prefill a form.

1 Like

Love it - 100% agree here!
I guess one possible solution is to allow for UUIDs in prefilling, rather than IDs. That way Noloco doesn’t have to change their underlying architecture:

Though of course, both feature requests would be ideal :sweat_smile: