Re: [PHPMyEdit-Discuss] per record password protection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ondrej,

Thanks for your reply:

I have a demo workaround by editing phpMyEdit.class.php thus:

add next line after "if ($this->delete_enabled()) {" (line 1410)

echo ' Password: <input type="text" name="inputpassword" size=12 maxlength=12 value="changeme" >';

add next line after "/* Database connection */" (line 2778)

		/* Require password for change/delete (JRCB 20-mar-03) */
		if($this->operation == $this->labels['Change'] or	
		   $this->operation == $this->labels['Delete']){	
			$inputpassword = $this->pv['inputpassword'];
			$query = "select password from ".$this->tb." where id = ".$this->pv['rec'];
			$resource = $this->myquery($query);
			$row = mysql_fetch_row($resource);
			$password = $row[0];

			//echo "inputpassword: $inputpassword<br>";
			//echo "password: $password<br>";

			if($inputpassword != $password){
				echo "<h1>Enter a password and retry</h1>";
				$this->list_table();
				return false;
			} 
		} 

>You should also note, that blocking user before displaying change or delete
>page is not complex solution anymore. You have to block particular action -
>record deletion and change in addition to blocking these pages. Otherwise
>your application will not be secure (since it will contain this ugly
>vulnerability).

I did not really follow this.  Do you think my code, above, is
insecure?

Thanks

Julian

Ondrej Jombik wrote at 19:45 (GMT +0100) 20 March 2003 :
>> I manage the website for a small club.  I want to create an events
>> listing which members can update themselves, so they can
>> add/change/delete an event record.  They would set a password (for
>> that event) when adding an event and give the same password to
>> change or delete the event.
>> So far, I have added a line to add a password entry field to
>> phpMyEdit.class.php after the code to add the delete button to the
>> foot of the listing:
>
>I completelly understand what is the problem/requirement. You are right, it
>is currently not possible to do such thing with phpMyEdit and it is
>uncertain for future.
>
>The solution could be to have phpMyEdit extension for this. Extension will
>provide the same functionality as phpMyEdit, but it will also add particular
>password check where it is neccessary. The problem is, that currently I do
>not have enough time to work on this. I'm glad that I have at least time to
>work on 5.3 release.
>
>You should also note, that blocking user before displaying change or delete
>page is not complex solution anymore. You have to block particular action -
>record deletion and change in addition to blocking these pages. Otherwise
>your application will not be secure (since it will contain this ugly
>vulnerability).
>
>--
>  _/|   Ondrej Jombik - ne...@ph... - http://www.nepto.sk - OJ812-RIPE
> <_  \  Platon SDG - open source software development - http://platon.sk
>   `\|  UNIX is user friendly. It's selective about who its friends are!
>    '`
>

-- 
War on Iraq. Not in my name. www.stopwar.org.uk
Julian Briggs, Director of IT, Department of Computer Science, 
University of Sheffield, Regent Court, 211 Portobello St, Sheffield S1 4DP, UK
Phone +44 (0) 114-222-1851. Fax +44 (0) 114-222-1810
j.b...@sh...  http://www.dcs.shef.ac.uk/~julian