Menu
▾
▴
Re: [phpesp-dev] Survey Publishing
|
From: Matthew G. <gr...@mu...> - 2002-03-30 22:36:29
|
Yeah. Survey Name is already forced to be unique and I think it's
sufficiently random. I will proceed with the "auto_template" using
that as the "key".
On Sat, Mar 30, 2002 at 02:42:31PM -0500, James E. Flemer wrote:
> On Sat, 30 Mar 2002, Matthew Gregg wrote:
> >
> > A thought here:
> > Instead of sequential why not increment SID by a larger increment and/or
> > perhaps add some randomness.
> > It would be harder for "Joe User" to try other surveys.
> >
> > Of course this would add some complexity since we couldn't use mysql's
> > auto_increment.
>
> Well, I think the complexity would be excessive just to
> "hide" the SID, but it made me think of a better solution.
> Rather than having the "auto-template" (as I will call it)
> use the SID as the key we could have it use the survey
> "name" (or even "title"). So the auto-template would look
> more like this:
>
> ...
> $sid = -1;
> $_name = XADDSLASHES($_REQUEST['name']);
> if ($result = mysql_query(
> "SELECT id FROM survey WHERE name = '$_name'"))
> {
> if (mysql_num_rows($result) > 0)
> $sid = mysql_result($result, 0, 0);
> mysql_free_result($result);
> }
> ...
>
> This would still make "name" publicly visable, but guessing
> a name is much "harder" than {in,de}crementing the SID.
>
> Or perhaps the auto-template could range check the SID, or
> use some other verification.
>
> -James
>
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
