Menu
▾
▴
phpmyedit-discuss
|
From: Julian R C B. <J.B...@dc...> - 2003-03-18 13:12:35
|
Dear All,
I manage the website for a small club. I want to create an events
listing which members can update themselves, so they can
add/change/delete an event record. They would set a password (for
that event) when adding an event and give the same password to
change or delete the event.
So far, I have added a line to add a password entry field to
phpMyEdit.class.php after the code to add the delete button to the
foot of the listing:
if ($this->delete_enabled()) {
echo '<input';
if (! $total_recs) { echo ' disabled'; }
echo ' type="submit" name="operation" value="'.$this->\
labels['Delete'].'"> ';
} // if else
}
echo ' <input type="password" name="inputpassword" size=12 \
maxlength=12 value="inputpassword" >';
Now I need to ensure the encrypted inputpassword matches the stored
one for that event before displaying the change or delete pages.
Any ideas how I might do that?
Long term, I'd like such a feature built in to phpMyEdit.
Thanks
Julian
--
War on Iraq. Not in my name. www.stopwar.org.uk
Julian Briggs, Director of IT, Department of Computer Science,
University of Sheffield, Regent Court, 211 Portobello St, Sheffield S1 4DP, UK
Phone +44 (0) 114-222-1851. Fax +44 (0) 114-222-1810
j.b...@sh... http://www.dcs.shef.ac.uk/~julian
|
|
From: Ondrej J. <ne...@po...> - 2003-03-20 18:47:16
|
> I manage the website for a small club. I want to create an events > listing which members can update themselves, so they can > add/change/delete an event record. They would set a password (for > that event) when adding an event and give the same password to > change or delete the event. > So far, I have added a line to add a password entry field to > phpMyEdit.class.php after the code to add the delete button to the > foot of the listing: I completelly understand what is the problem/requirement. You are right, it is currently not possible to do such thing with phpMyEdit and it is uncertain for future. The solution could be to have phpMyEdit extension for this. Extension will provide the same functionality as phpMyEdit, but it will also add particular password check where it is neccessary. The problem is, that currently I do not have enough time to work on this. I'm glad that I have at least time to work on 5.3 release. You should also note, that blocking user before displaying change or delete page is not complex solution anymore. You have to block particular action - record deletion and change in addition to blocking these pages. Otherwise your application will not be secure (since it will contain this ugly vulnerability). -- _/| Ondrej Jombik - ne...@ph... - http://www.nepto.sk - OJ812-RIPE <_ \ Platon SDG - open source software development - http://platon.sk `\| UNIX is user friendly. It's selective about who its friends are! '` |
|
From: Julian R C B. <J.B...@dc...> - 2003-03-21 16:08:04
|
Ondrej,
Thanks for your reply:
I have a demo workaround by editing phpMyEdit.class.php thus:
add next line after "if ($this->delete_enabled()) {" (line 1410)
echo ' Password: <input type="text" name="inputpassword" size=12 maxlength=12 value="changeme" >';
add next line after "/* Database connection */" (line 2778)
/* Require password for change/delete (JRCB 20-mar-03) */
if($this->operation == $this->labels['Change'] or
$this->operation == $this->labels['Delete']){
$inputpassword = $this->pv['inputpassword'];
$query = "select password from ".$this->tb." where id = ".$this->pv['rec'];
$resource = $this->myquery($query);
$row = mysql_fetch_row($resource);
$password = $row[0];
//echo "inputpassword: $inputpassword<br>";
//echo "password: $password<br>";
if($inputpassword != $password){
echo "<h1>Enter a password and retry</h1>";
$this->list_table();
return false;
}
}
>You should also note, that blocking user before displaying change or delete
>page is not complex solution anymore. You have to block particular action -
>record deletion and change in addition to blocking these pages. Otherwise
>your application will not be secure (since it will contain this ugly
>vulnerability).
I did not really follow this. Do you think my code, above, is
insecure?
Thanks
Julian
Ondrej Jombik wrote at 19:45 (GMT +0100) 20 March 2003 :
>> I manage the website for a small club. I want to create an events
>> listing which members can update themselves, so they can
>> add/change/delete an event record. They would set a password (for
>> that event) when adding an event and give the same password to
>> change or delete the event.
>> So far, I have added a line to add a password entry field to
>> phpMyEdit.class.php after the code to add the delete button to the
>> foot of the listing:
>
>I completelly understand what is the problem/requirement. You are right, it
>is currently not possible to do such thing with phpMyEdit and it is
>uncertain for future.
>
>The solution could be to have phpMyEdit extension for this. Extension will
>provide the same functionality as phpMyEdit, but it will also add particular
>password check where it is neccessary. The problem is, that currently I do
>not have enough time to work on this. I'm glad that I have at least time to
>work on 5.3 release.
>
>You should also note, that blocking user before displaying change or delete
>page is not complex solution anymore. You have to block particular action -
>record deletion and change in addition to blocking these pages. Otherwise
>your application will not be secure (since it will contain this ugly
>vulnerability).
>
>--
> _/| Ondrej Jombik - ne...@ph... - http://www.nepto.sk - OJ812-RIPE
> <_ \ Platon SDG - open source software development - http://platon.sk
> `\| UNIX is user friendly. It's selective about who its friends are!
> '`
>
--
War on Iraq. Not in my name. www.stopwar.org.uk
Julian Briggs, Director of IT, Department of Computer Science,
University of Sheffield, Regent Court, 211 Portobello St, Sheffield S1 4DP, UK
Phone +44 (0) 114-222-1851. Fax +44 (0) 114-222-1810
j.b...@sh... http://www.dcs.shef.ac.uk/~julian
|
|
From: Ondrej J. <ne...@po...> - 2003-03-27 23:46:56
|
> >You should also note, that blocking user before displaying change or delete > >page is not complex solution anymore. You have to block particular action - > >record deletion and change in addition to blocking these pages. Otherwise > >your application will not be secure (since it will contain this ugly > >vulnerability). > I did not really follow this. Do you think my code, above, is > insecure? It seems that it is not secure. You should think about checks when $this->savedelete == $this->labels['Delete'] or $this->morechange == $this->labels['Apply'] or $this->savechange == $this->labels['Save'] The tests you are performing prevents only before record form displaying. You have to handle database manipulation actions (save, apply, delete) as well. -- _/| Ondrej Jombik - ne...@ph... - http://www.nepto.sk - OJ812-RIPE <_ \ Platon SDG - open source software development - http://platon.sk `\| UNIX is user friendly. It's selective about who its friends are! '` |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X