Hi there.

I'm building a website at the moment and the user ids generated from the database are all sequential: 27, 28, 29, 30.. etc.

I am thinking that this would be a good thing for spammers, given that my messaging system uses the user id as the identifier when sending a message. I am worried that spammers could create a script where they could just keep incrementing the user id by one, and spam my entire membership base.

Is it common for websites to avoid sequential ids for things such as this?

If the user id is a primary key from the database table and set to auto-increment then that would be pretty difficult. I've used primary keys to identify records with query strings before. If the steps used to work with it such as code security are put in place, it shouldn't be a problem. You could always use a GUID.

Thanks for your reply, I'm not sure I explained myself clearly enough.

My website features a private messaging system, just like this website, webdeveloper.com. My website also uses an incremental id for the user ids, just like this website.

If I were to send you a private message here on this website, I would have to click the link:

http://www.webdeveloper.com/forum/private.php?do=newpm&u=72220

If I take that last bit of the url (72220) and increment it by 1, a messaging screen appears for some other user. I could easily write an automated script that could spam the entire webdeveloper.com user base this way.

I am wondering if it is common for websites to use non-sequential user ids for this very reason.