martin
|
| Posted: 11/08/2005, 7:04 PM |
|
I use the example of MultiStepRegistration, it works fine.
But when I enter the url as below to the IE:
http://localhost/mlsprivate/MultiStepRegistration1.asp?user_id=AAA
If I change AAA to 1, I can retrieve the first user information from database.
If I change AAA to 2, I can retrieve the second user information from database, so on.
It is a serius security issue, how can I protect my database from unauthened reading?
Thanks in advance!
|
|
|
 |
mamboBROWN
Posts: 1713
|
| Posted: 11/08/2005, 11:26 PM |
|
Why not use session keys and or use a more difficult to guest user_id (MD5 128-bit checksum or SHA1(str)/SHA(str) Calculates an SHA1 160-bit checksum for the string) Just a thought...
|
 |
|
Martin
|
| Posted: 11/09/2005, 1:59 PM |
|
SSL is protecting the data when it is transporting, so it is not the case I think.
I mean why CCS not give a more useful example than this one?
Is it possible to confige page security or form security to achieve it?
Any help? Thanks in advance.
|
|
|
|
peterr
Posts: 5971
|
| Posted: 11/09/2005, 2:04 PM |
|
You can set the "Allow Update" property to "No" on that 1st step, so that existing records will not be shown.
But the next steps of the registration may also require some protection, and in such case you can use a session variable instead of URL paramater.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
|
