Menu
▾
▴
[PHPMyEdit-Discuss] Re: Phpmyedit-discuss digest, Vol 1 #65 - 1 msg
|
From: Julian R C B. <J.B...@dc...> - 2003-03-31 14:33:54
|
Ondrej, Thanks. >It seems that it is not secure. You should think about checks when > >$this->savedelete == $this->labels['Delete'] or >$this->morechange == $this->labels['Apply'] or >$this->savechange == $this->labels['Save'] > >The tests you are performing prevents only before record form >displaying. You have to handle database manipulation actions (save, >apply, delete) as well. I want the user to be able to change the password (if they give the correct old password). To get to these input forms (Change, Copy or Delete) the user must enter a password in an input field (that I have added) at the foot of the Display table. This must match the corresponding entry in the password field for that record otherwise we just Display table. I use a primary key 'Id' which is hidden (on all pages and forms) so cannot be changed. Currently I only allow Add/Change/Copy/Delete (not View, to avoid handling Change from there): $opts['options'] = 'ACD'; not view. So I think it is secure. Or am I still missing something? Thanks. Julian php...@li... wrote at 12:31 (GMT -0800) 28 March 2003 : >Send Phpmyedit-discuss mailing list submissions to > php...@li... > >To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/phpmyedit-discuss >or, via email, send a message with subject or body 'help' to > php...@li... > >You can reach the person managing the list at > php...@li... > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Phpmyedit-discuss digest..." > > >Today's Topics: > > 1. Re: per record password protection (Ondrej Jombik) > >--__--__-- > >Message: 1 >Date: Wed, 26 Mar 2003 20:16:13 +0100 (CET) >From: Ondrej Jombik <ne...@po...> >Reply-To: Ondrej Jombik <ne...@po...> >To: php...@li... >Subject: Re: [PHPMyEdit-Discuss] per record password protection >Organization: Platon software development group (http://www.platon.sk/) > >> >You should also note, that blocking user before displaying change or delete >> >page is not complex solution anymore. You have to block particular action - >> >record deletion and change in addition to blocking these pages. Otherwise >> >your application will not be secure (since it will contain this ugly >> >vulnerability). >> I did not really follow this. Do you think my code, above, is >> insecure? > >It seems that it is not secure. You should think about checks when > >$this->savedelete == $this->labels['Delete'] or >$this->morechange == $this->labels['Apply'] or >$this->savechange == $this->labels['Save'] > >The tests you are performing prevents only before record form >displaying. You have to handle database manipulation actions (save, >apply, delete) as well. > >-- > _/| Ondrej Jombik - ne...@ph... - http://www.nepto.sk - OJ812-RIPE > <_ \ Platon SDG - open source software development - http://platon.sk > `\| UNIX is user friendly. It's selective about who its friends are! > '` > > > >--__--__-- > >_______________________________________________ >Phpmyedit-discuss mailing list >Php...@li... >https://lists.sourceforge.net/lists/listinfo/phpmyedit-discuss > > >End of Phpmyedit-discuss Digest -- War on Iraq. Not in my name. www.stopwar.org.uk Julian Briggs, Director of IT, Department of Computer Science, University of Sheffield, Regent Court, 211 Portobello St, Sheffield S1 4DP, UK Phone +44 (0) 114-222-1851. Fax +44 (0) 114-222-1810 j.b...@sh... http://www.dcs.shef.ac.uk/~julian |
