A colleague once mentioned to me that when developing web applications, explicitly using a sequence/auto-increment integer (typically a primary key) to uniquely identify values within a database is a security risk, and that since such keys are often used as "surrogate keys" (e.g., for internally identifying records and relationships between records) the safest way of identify resources is use to domain primary key.
Take the following example.
create table category
(
category_key serial not null primary key,
name character varying(255) not null,
unique(name)
);
create table product
(
product_key serial not null primary key,
product_id character varying(8) not null,
name character varying(255) not null,
unique(product_id)
);
To access category, the url is /category/(\d+) using the category_key primary key. How is this less secure than a url /category/([^/]+) using the name unique key?
The only thing I can think of is that a particular category_key is much easier to guess (e.g., add one), and if you haven't coded your access control properly, this could allow someone to arbitarily view any category within the database.