Re: [phpesp-dev] Survey Publishing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Yeah.  Survey Name is already forced to be unique and I think it's
sufficiently random.  I will proceed with the "auto_template" using
that as the "key".

On Sat, Mar 30, 2002 at 02:42:31PM -0500, James E. Flemer wrote:
> On Sat, 30 Mar 2002, Matthew Gregg wrote:
> >
> > A thought here:
> > Instead of sequential why not increment SID by a larger increment and/or
> > perhaps add some randomness.
> > It would be harder for "Joe User" to try other surveys.
> >
> > Of course this would add some complexity since we couldn't use mysql's
> > auto_increment.
> 
> Well, I think the complexity would be excessive just to
> "hide" the SID, but it made me think of a better solution.
> Rather than having the "auto-template" (as I will call it)
> use the SID as the key we could have it use the survey
> "name" (or even "title"). So the auto-template would look
> more like this:
> 
>   ...
>   $sid = -1;
>   $_name = XADDSLASHES($_REQUEST['name']);
>   if ($result = mysql_query(
>     "SELECT id FROM survey WHERE name = '$_name'"))
>   {
>     if (mysql_num_rows($result) > 0)
>       $sid = mysql_result($result, 0, 0);
>     mysql_free_result($result);
>   }
>   ...
> 
> This would still make "name" publicly visable, but guessing
> a name is much "harder" than {in,de}crementing the SID.
> 
> Or perhaps the auto-template could range check the SID, or
> use some other verification.
> 
> -James
> 

-- 
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars