I am building a web application that allows users to send messages to other users. On the send message page I currently have the user id of the receiver in the URL so the application knows where to send the message i.e. example.com/send-message/user-id/1. The user id is the primary key used to identify the receiver in the database
I am concerned that spammers could go to this page and just keep changing the user id in the URL and spam people on the site very quickly.
The solution I have come up with is to make a long unique id (123154123412). This number will be stored in the user database row and would be used instead of the primary key on the send message page so that a spammer could not easily spam lots of people by changing the id.
Are there any potential problems with this approach that I may have over looked?
If I was to use the unique id throughout the site would it slow the site down significantly. In other words is it quicker to search the database using a primary key than a generated unique id.
Thanks
