CodeCharge Studio
search Register Login  

Visual PHP Web Development

Visually Create Internationalized Web Applications, Web Reports, Calendars, and more.
CodeCharge.com

YesSoftware Forums -> Archive -> CodeChargeStudio.Discussion

 User Security

Print topic Send  topic

Author Message
Rob King
Posted: 11/21/2003, 11:27 AM

Hi there,

I am sure this is easy to do, but I am not sure how.

I am using CCS in php, connecting to mysql.

I am wanting a page where a user can edit there details, which they entered
on a sign up form.

I have made a page "edit_user_details"

for example the users id is 1 I can get the user to got to
www.sample/edit_user_details?user_id=1, which works fine but what stops the
same user changing the url and selecting
www.sample/edit_user_details?user_id=2 he now has access to another users
details.

How can I put some code in to redirect the user if his user_id does not
match

Hope you can help

Rob King

DonB
Posted: 11/21/2003, 12:34 PM

Never select the user via the URL parameters. Use a session variable (which
is defined on the menu for the Project security settings - the "advanced"
button. Probably it is "UserID" ( unless you changed it to "user_id").
This prevents the user from selecting something they aren't supposed to have
access to.

Make the selection criteria on the secure form's Data Source include the
"where" clause specifying user_id = <the session variable>. There are
several options for the source of a value - Control, Form, URL, Session, and
some others. Just pick Session from the dropdown list and type in the name
of the session variable.

Now, the user can't access any record that does not match their user id.

--
DonB

http://www.gotodon.com/ccbth


"Rob King" <rob.king@the-king-family.org.uk> wrote in message
news:bplovh$2m9$1@news.codecharge.com...
> Hi there,
>
> I am sure this is easy to do, but I am not sure how.
>
> I am using CCS in php, connecting to mysql.
>
> I am wanting a page where a user can edit there details, which they
entered
> on a sign up form.
>
> I have made a page "edit_user_details"
>
> for example the users id is 1 I can get the user to got to
> www.sample/edit_user_details?user_id=1, which works fine but what stops
the
> same user changing the url and selecting
> www.sample/edit_user_details?user_id=2 he now has access to another users
> details.
>
> How can I put some code in to redirect the user if his user_id does not
> match
>
> Hope you can help
>
> Rob King
>
>

Rob King
Posted: 11/23/2003, 11:15 AM

Thanks for that.

Rob King


"DonB" <~ccbth~@gotodon.com> wrote in message
news:bplst0$753$1@news.codecharge.com...
> Never select the user via the URL parameters. Use a session variable
(which
> is defined on the menu for the Project security settings - the "advanced"
> button. Probably it is "UserID" ( unless you changed it to "user_id").
> This prevents the user from selecting something they aren't supposed to
have
> access to.
>
> Make the selection criteria on the secure form's Data Source include the
> "where" clause specifying user_id = <the session variable>. There are
> several options for the source of a value - Control, Form, URL, Session,
and
> some others. Just pick Session from the dropdown list and type in the
name
> of the session variable.
>
> Now, the user can't access any record that does not match their user id.
>
> --
> DonB
>
> http://www.gotodon.com/ccbth
>
>
> "Rob King" <rob.king@the-king-family.org.uk> wrote in message
>news:bplovh$2m9$1@news.codecharge.com...
> > Hi there,
> >
> > I am sure this is easy to do, but I am not sure how.
> >
> > I am using CCS in php, connecting to mysql.
> >
> > I am wanting a page where a user can edit there details, which they
> entered
> > on a sign up form.
> >
> > I have made a page "edit_user_details"
> >
> > for example the users id is 1 I can get the user to got to
> > www.sample/edit_user_details?user_id=1, which works fine but what stops
> the
> > same user changing the url and selecting
> > www.sample/edit_user_details?user_id=2 he now has access to another
users
> > details.
> >
> > How can I put some code in to redirect the user if his user_id does not
> > match
> >
> > Hope you can help
> >
> > Rob King
> >
> >
>
>

Walter Kempees
Posted: 11/24/2003, 7:06 AM

Nice Don.
But just checking the url var against the current UserId would do the trick,
wouldn't it?
In Bla Code if (Url.UserId <> DB.UserId)
501page;
We normally do a straight return to Index.php not even mentioning why (for
obvious (non-hackers) reasons).
We also do this in situations where a certain user is trying to get to (for
instance) a specific order or customer record while not being a member of a
group changing those details. Say like when 1 application serves multi
customers, each administrating their own set of clients/orders and so on.

Greetz
Walter

"DonB" <~ccbth~@gotodon.com> schreef in bericht
news:bplst0$753$1@news.codecharge.com...
> Never select the user via the URL parameters. Use a session variable
(which
> is defined on the menu for the Project security settings - the "advanced"
> button. Probably it is "UserID" ( unless you changed it to "user_id").
> This prevents the user from selecting something they aren't supposed to
have
> access to.
>
> Make the selection criteria on the secure form's Data Source include the
> "where" clause specifying user_id = <the session variable>. There are
> several options for the source of a value - Control, Form, URL, Session,
and
> some others. Just pick Session from the dropdown list and type in the
name
> of the session variable.
>
> Now, the user can't access any record that does not match their user id.
>
> --
> DonB
>
> http://www.gotodon.com/ccbth
>
>
> "Rob King" <rob.king@the-king-family.org.uk> wrote in message
>news:bplovh$2m9$1@news.codecharge.com...
> > Hi there,
> >
> > I am sure this is easy to do, but I am not sure how.
> >
> > I am using CCS in php, connecting to mysql.
> >
> > I am wanting a page where a user can edit there details, which they
> entered
> > on a sign up form.
> >
> > I have made a page "edit_user_details"
> >
> > for example the users id is 1 I can get the user to got to
> > www.sample/edit_user_details?user_id=1, which works fine but what stops
> the
> > same user changing the url and selecting
> > www.sample/edit_user_details?user_id=2 he now has access to another
users
> > details.
> >
> > How can I put some code in to redirect the user if his user_id does not
> > match
> >
> > Hope you can help
> >
> > Rob King
> >
> >
>
>

DonB
Posted: 11/24/2003, 8:29 AM

Same results, Walter. I feel "safer" somehow knowing I prevent them from
ever pulling data they are not allowed to see as opposed to turning them
away from a page that might display it.

I also like the idea of embedding the rule in a query - when the DBMSs
allows you to write views, that is my #1 preference. If you put the userid
rule into the view, then it's enforced everywhere and you don't have to code
anything, anywhere, to enforce the rule.

--
DonB

http://www.gotodon.com/ccbth


"Walter Kempees" <kempe819@planet.nl> wrote in message
news:bpt6q5$g95$1@news.codecharge.com...
> Nice Don.
> But just checking the url var against the current UserId would do the
trick,
> wouldn't it?
> In Bla Code if (Url.UserId <> DB.UserId)
> 501page;
> We normally do a straight return to Index.php not even mentioning why (for
> obvious (non-hackers) reasons).
> We also do this in situations where a certain user is trying to get to
(for
> instance) a specific order or customer record while not being a member of
a
> group changing those details. Say like when 1 application serves multi
> customers, each administrating their own set of clients/orders and so on.
>
> Greetz
> Walter
>
> "DonB" <~ccbth~@gotodon.com> schreef in bericht
>news:bplst0$753$1@news.codecharge.com...
> > Never select the user via the URL parameters. Use a session variable
> (which
> > is defined on the menu for the Project security settings - the
"advanced"
> > button. Probably it is "UserID" ( unless you changed it to "user_id").
> > This prevents the user from selecting something they aren't supposed to
> have
> > access to.
> >
> > Make the selection criteria on the secure form's Data Source include the
> > "where" clause specifying user_id = <the session variable>. There are
> > several options for the source of a value - Control, Form, URL, Session,
> and
> > some others. Just pick Session from the dropdown list and type in the
> name
> > of the session variable.
> >
> > Now, the user can't access any record that does not match their user id.
> >
> > --
> > DonB
> >
> > http://www.gotodon.com/ccbth
> >
> >
> > "Rob King" <rob.king@the-king-family.org.uk> wrote in message
> >news:bplovh$2m9$1@news.codecharge.com...
> > > Hi there,
> > >
> > > I am sure this is easy to do, but I am not sure how.
> > >
> > > I am using CCS in php, connecting to mysql.
> > >
> > > I am wanting a page where a user can edit there details, which they
> > entered
> > > on a sign up form.
> > >
> > > I have made a page "edit_user_details"
> > >
> > > for example the users id is 1 I can get the user to got to
> > > www.sample/edit_user_details?user_id=1, which works fine but what
stops
> > the
> > > same user changing the url and selecting
> > > www.sample/edit_user_details?user_id=2 he now has access to another
> users
> > > details.
> > >
> > > How can I put some code in to redirect the user if his user_id does
not
> > > match
> > >
> > > Hope you can help
> > >
> > > Rob King
> > >
> > >
> >
> >
>
>

Walter Kempees
Posted: 11/24/2003, 3:08 PM

Agreed.
Using MySql whe miss out on the par examle Oracle features.

PS solved the Copy Function, with help from CC. (see thread)
"DonB" <~ccbth~@gotodon.com> schreef in bericht
news:bptblb$ls9$1@news.codecharge.com...
> Same results, Walter. I feel "safer" somehow knowing I prevent them from
> ever pulling data they are not allowed to see as opposed to turning them
> away from a page that might display it.
>
> I also like the idea of embedding the rule in a query - when the DBMSs
> allows you to write views, that is my #1 preference. If you put the
userid
> rule into the view, then it's enforced everywhere and you don't have to
code
> anything, anywhere, to enforce the rule.
>
> --
> DonB
>
> http://www.gotodon.com/ccbth
>
>
> "Walter Kempees" <kempe819@planet.nl> wrote in message
>news:bpt6q5$g95$1@news.codecharge.com...
> > Nice Don.
> > But just checking the url var against the current UserId would do the
> trick,
> > wouldn't it?
> > In Bla Code if (Url.UserId <> DB.UserId)
> > 501page;
> > We normally do a straight return to Index.php not even mentioning why
(for
> > obvious (non-hackers) reasons).
> > We also do this in situations where a certain user is trying to get to
> (for
> > instance) a specific order or customer record while not being a member
of
> a
> > group changing those details. Say like when 1 application serves multi
> > customers, each administrating their own set of clients/orders and so
on.
> >
> > Greetz
> > Walter
> >
> > "DonB" <~ccbth~@gotodon.com> schreef in bericht
> >news:bplst0$753$1@news.codecharge.com...
> > > Never select the user via the URL parameters. Use a session variable
> > (which
> > > is defined on the menu for the Project security settings - the
> "advanced"
> > > button. Probably it is "UserID" ( unless you changed it to
"user_id").
> > > This prevents the user from selecting something they aren't supposed
to
> > have
> > > access to.
> > >
> > > Make the selection criteria on the secure form's Data Source include
the
> > > "where" clause specifying user_id = <the session variable>. There
are
> > > several options for the source of a value - Control, Form, URL,
Session,
> > and
> > > some others. Just pick Session from the dropdown list and type in the
> > name
> > > of the session variable.
> > >
> > > Now, the user can't access any record that does not match their user
id.
> > >
> > > --
> > > DonB
> > >
> > > http://www.gotodon.com/ccbth
> > >
> > >
> > > "Rob King" <rob.king@the-king-family.org.uk> wrote in message
> > >news:bplovh$2m9$1@news.codecharge.com...
> > > > Hi there,
> > > >
> > > > I am sure this is easy to do, but I am not sure how.
> > > >
> > > > I am using CCS in php, connecting to mysql.
> > > >
> > > > I am wanting a page where a user can edit there details, which they
> > > entered
> > > > on a sign up form.
> > > >
> > > > I have made a page "edit_user_details"
> > > >
> > > > for example the users id is 1 I can get the user to got to
> > > > www.sample/edit_user_details?user_id=1, which works fine but what
> stops
> > > the
> > > > same user changing the url and selecting
> > > > www.sample/edit_user_details?user_id=2 he now has access to another
> > users
> > > > details.
> > > >
> > > > How can I put some code in to redirect the user if his user_id does
> not
> > > > match
> > > >
> > > > Hope you can help
> > > >
> > > > Rob King
> > > >
> > > >
> > >
> > >
> >
> >
>
>


   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

MS Access to Web

Convert MS Access to Web.
Join thousands of Web developers who build Web applications with minimal coding.

CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright © 2003-2004 by UltraApps.com  and YesSoftware, Inc.