Re: [PHPMyEdit-Discuss] per record password protection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> >You should also note, that blocking user before displaying change or delete
> >page is not complex solution anymore. You have to block particular action -
> >record deletion and change in addition to blocking these pages. Otherwise
> >your application will not be secure (since it will contain this ugly
> >vulnerability).
> I did not really follow this.  Do you think my code, above, is
> insecure?

It seems that it is not secure. You should think about checks when

$this->savedelete == $this->labels['Delete'] or
$this->morechange == $this->labels['Apply']  or
$this->savechange == $this->labels['Save']

The tests you are performing prevents only before record form
displaying. You have to handle database manipulation actions (save,
apply, delete) as well.

--
  _/|   Ondrej Jombik - ne...@ph... - http://www.nepto.sk - OJ812-RIPE
 <_  \  Platon SDG - open source software development - http://platon.sk
   `\|  UNIX is user friendly. It's selective about who its friends are!
    '`