Is there any concern regarding a database primary key exposure?

It depends on what the primary key is. If the primary key is the user's email address or other personal information, then obviously you should never expose it to anyone other than the user. Even if the primary key were the username in the form of FirstName.LastName you should be weary of exposure. Typically though, the primary key will be either an integer or guid which has little meaning by itself, and so I will base the rest of this answer on the typical case.

In general, if the application is designed and secured properly, then revealing meaningless User IDs should not pose a security risk. However, this is not true for all primary key fields in the DB. For example, suppose there is an email validation table that has a guid that appears in a link that is emailed to the user. Those single-use IDs should not be made public because otherwise someone would be able to submit a fake email address and still validate it.

Their are other considerations too that are not necessarily related to security. For example, if you use integer IDs, and you have a public profile page like Matthew mentioned in his comment, then someone could iterate through all of your users and find out information that perhaps they should not know. Examples might be the demographics of your user base, or the exact number of users that your website has, etc. Note this would not be a problem if you use random guids for the primary key, or if you do not expose the public users by the primary key.


The information you are trying to keep confidential is the records in the database, not the actual labels on the columns. I think its pretty common to use PKs with names like "id", "pid", "cid"... so hiding it may be just an instance of Security Through Obscurity.

Its not something I would advertise but I wouldn't go to great lengths to hide it.