Menu
▾
▴
Re: [phpesp-dev] Survey Publishing
|
From: James E. F. <jf...@ac...> - 2002-03-30 19:42:36
|
On Sat, 30 Mar 2002, Matthew Gregg wrote:
>
> A thought here:
> Instead of sequential why not increment SID by a larger increment and/or
> perhaps add some randomness.
> It would be harder for "Joe User" to try other surveys.
>
> Of course this would add some complexity since we couldn't use mysql's
> auto_increment.
Well, I think the complexity would be excessive just to
"hide" the SID, but it made me think of a better solution.
Rather than having the "auto-template" (as I will call it)
use the SID as the key we could have it use the survey
"name" (or even "title"). So the auto-template would look
more like this:
...
$sid = -1;
$_name = XADDSLASHES($_REQUEST['name']);
if ($result = mysql_query(
"SELECT id FROM survey WHERE name = '$_name'"))
{
if (mysql_num_rows($result) > 0)
$sid = mysql_result($result, 0, 0);
mysql_free_result($result);
}
...
This would still make "name" publicly visable, but guessing
a name is much "harder" than {in,de}crementing the SID.
Or perhaps the auto-template could range check the SID, or
use some other verification.
-James
|
