Re: [phpesp-dev] Survey Publishing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 30 Mar 2002, Matthew Gregg wrote:
>
> A thought here:
> Instead of sequential why not increment SID by a larger increment and/or
> perhaps add some randomness.
> It would be harder for "Joe User" to try other surveys.
>
> Of course this would add some complexity since we couldn't use mysql's
> auto_increment.

Well, I think the complexity would be excessive just to
"hide" the SID, but it made me think of a better solution.
Rather than having the "auto-template" (as I will call it)
use the SID as the key we could have it use the survey
"name" (or even "title"). So the auto-template would look
more like this:

  ...
  $sid = -1;
  $_name = XADDSLASHES($_REQUEST['name']);
  if ($result = mysql_query(
    "SELECT id FROM survey WHERE name = '$_name'"))
  {
    if (mysql_num_rows($result) > 0)
      $sid = mysql_result($result, 0, 0);
    mysql_free_result($result);
  }
  ...

This would still make "name" publicly visable, but guessing
a name is much "harder" than {in,de}crementing the SID.

Or perhaps the auto-template could range check the SID, or
use some other verification.

-James