The approach is sound, but you absolutely, positively must encrypt the identifier. Or, even better, make it a hash of the ID and some lengthy "salt"
string, which you then also store in the database. If the URL is then accessed you can extract that identifier and retrieve the record in the database that goes with it.
It's also common that the URL only has a limited validity (maybe 24 hours or so). After that, a new one must be generated.