CodeCharge Studio
search Register Login  

Visual PHP Web Development

Visually Create Internationalized Web Applications, Web Reports, Calendars, and more.
CodeCharge.com

YesSoftware Forums -> CodeCharge -> General/Other

 Add/Edit Security Issue?

Print topic Send  topic

Author Message
Adam M
Posted: 12/29/2003, 5:55 AM

I use a CC "record" page to enable users to insert details into a form.

But there seems to be a security issue, if a user can guess the name of the underlying table's primary key and simply add ?PID=somenumber. This will display the given record to the user, whereas he should only be able to insert a record.

How can I disable displaying records while allowing insertion of records?
RogerR

Posts: 21
Posted: 12/29/2003, 1:12 PM

Quote Adam M:
I use a CC "record" page to enable users to insert details into a form. ...SNIP

How can I disable displaying records while allowing insertion of records?

CodeCharge is rather weak when it comes to security. The way I handled this issue when I was using CC was to create a security code ( 0 for admin 1 for supervisor and 2 for Data Entry) when an end user logged in a cookie was set with their code number. If they tried to read a record and the cookie showed their number as 2 they would get a prebuilt error page telling them that they didn't have permission to view the record. If the user tried to venture into admin stuff and their cookie didn't show their code as 0 they got an error page and an email with their user id was sent to the administrator.

This was done using PHP and MySQL, and once I got it setup it was pretty easy to administor. CCS has much better security so I abandond this method some time back.

HTH;

Roger R.
_________________
***********************************************************
The best antivirus a windose user can get - LINUX!
***********************************************************
View profile  Send private message
tomasz
Posted: 01/05/2004, 11:21 AM

to adam:
you can disallow "update" mode in form properties. and if your users need to update only their records, leave "update" mode "on" and add some fields to db table where you can store UserID session var during record insert. then you can set some restrictions in input parameters or open event .

to roger:
well, if someone is enough smart to guess how tu use url params, it's also enough smart to know how to edit their own cookies..
RogerR

Posts: 21
Posted: 03/05/2004, 9:29 AM

Quote tomasz:

to roger:
well, if someone is enough smart to guess how tu use url params, it's also enough smart to know how to edit their own cookies..

Yep, and that's what makes the md5 fuction so cool.

Roger R.
_________________
***********************************************************
The best antivirus a windose user can get - LINUX!
***********************************************************
View profile  Send private message

Add new topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

Internet Database

Visually create Web enabled database applications in minutes.
CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright 2003-2004 by UltraApps.com  and YesSoftware, Inc.