Adam M
|
| Posted: 12/29/2003, 5:55 AM |
|
I use a CC "record" page to enable users to insert details into a form.
But there seems to be a security issue, if a user can guess the name of the underlying table's primary key and simply add ?PID=somenumber. This will display the given record to the user, whereas he should only be able to insert a record.
How can I disable displaying records while allowing insertion of records?
|
|
|
 |
RogerR
Posts: 21
|
| Posted: 12/29/2003, 1:12 PM |
|
Quote Adam M:
I use a CC "record" page to enable users to insert details into a form. ...SNIP
How can I disable displaying records while allowing insertion of records?
CodeCharge is rather weak when it comes to security. The way I handled this issue when I was using CC was to create a security code ( 0 for admin 1 for supervisor and 2 for Data Entry) when an end user logged in a cookie was set with their code number. If they tried to read a record and the cookie showed their number as 2 they would get a prebuilt error page telling them that they didn't have permission to view the record. If the user tried to venture into admin stuff and their cookie didn't show their code as 0 they got an error page and an email with their user id was sent to the administrator.
This was done using PHP and MySQL, and once I got it setup it was pretty easy to administor. CCS has much better security so I abandond this method some time back.
HTH;
Roger R.
_________________
***********************************************************
The best antivirus a windose user can get - LINUX!
*********************************************************** |
 |
|
tomasz
|
| Posted: 01/05/2004, 11:21 AM |
|
to adam:
you can disallow "update" mode in form properties. and if your users need to update only their records, leave "update" mode "on" and add some fields to db table where you can store UserID session var during record insert. then you can set some restrictions in input parameters or open event .
to roger:
well, if someone is enough smart to guess how tu use url params, it's also enough smart to know how to edit their own cookies..
|
|
|
|
RogerR
Posts: 21
|
| Posted: 03/05/2004, 9:29 AM |
|
Quote tomasz:
to roger:
well, if someone is enough smart to guess how tu use url params, it's also enough smart to know how to edit their own cookies..
Yep, and that's what makes the md5 fuction so cool.
Roger R.
_________________
***********************************************************
The best antivirus a windose user can get - LINUX!
*********************************************************** |
|
|
|
|
