WebApp Sec mailing list archives

RE: cgi to update a datable table

From: "Blake Frantz" <blake () mc net>
Date: Tue, 29 Oct 2002 10:05:01 -0600


Using hidden fields is not a very good solution.  The end user could
simply construct their own html document and modify the hidden values to
their liking.

Have you considered separating the data into different tables?  One with
write permissions, one with read only?

Or..

Add a third column that indicates access levels required to modify that
row.  For example:

Id      txt     access req.
1       bob     user
2       sue     admin
3       jon     user

Or..

Add a third column that toggles the volatile state of the row.  For
example:

Prior to serving end users with modification page
Id      txt     volatile
1       bob     0
2       sue     0
3       jon     0

After serving end user with modification page
Id      txt     volatile
1       bob     1
2       sue     0
3       jon     1

After modifications have been performed
Id      txt     volatile
1       Bob     0
2       sue     0
3       Jon     0

Have your cgi check the volatile state before it updates.  

Hope this helps.

Blake

-----Original Message-----
From: Allan Wind [mailto:allanwind () attbi com] 
Sent: Monday, October 28, 2002 9:59 PM
To: webappsec () securityfocus com
Subject: cgi to update a datable table


I am writing cgi to edit a list of values obtained from a database which
on form submission is progaged back to a database.  How is this usually
done such that end-user can only change the values presented?

For example, given the following table ("tbl"), I only want the end-user
to change row 1 and 3 for a run of my cgi:

        id      txt

        1       hello
        2       sweet
        3       world

with the form looking something like this:

        <input name="a" value="hello"/>
        <input name="b" value="world"/>

(1) One solution would be to keep a record of what to expect back, e.g.
(session_id, a, b) either in the cgi with the help of backend storage or
in database middleware.  (2) Another solution would be to keep record in
a hidden field of the page itself e.g. (a, b, hmac(a+b, secret))

If the value of id is interesting, a and b could be unique values that
map to the real ids.


/Allan
-- 
Allan Wind
P.O. Box 2022
Woburn, MA 01888-0022
USA

Current thread:

cgi to update a datable table Allan Wind (Oct 28)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
  - Re: cgi to update a datable table Allan Wind (Oct 29)
  - Message not available
    - Re: cgi to update a datable table Allan Wind (Oct 29)
- <Possible follow-ups>
- RE: cgi to update a datable table Shields, Larry (Oct 29)