WebApp Sec mailing list archives
RE: cgi to update a datable table
From: "Blake Frantz" <blake () mc net>
Date: Tue, 29 Oct 2002 10:05:01 -0600
Using hidden fields is not a very good solution. The end user could simply construct their own html document and modify the hidden values to their liking. Have you considered separating the data into different tables? One with write permissions, one with read only? Or.. Add a third column that indicates access levels required to modify that row. For example: Id txt access req. 1 bob user 2 sue admin 3 jon user Or.. Add a third column that toggles the volatile state of the row. For example: Prior to serving end users with modification page Id txt volatile 1 bob 0 2 sue 0 3 jon 0 After serving end user with modification page Id txt volatile 1 bob 1 2 sue 0 3 jon 1 After modifications have been performed Id txt volatile 1 Bob 0 2 sue 0 3 Jon 0 Have your cgi check the volatile state before it updates. Hope this helps. Blake -----Original Message----- From: Allan Wind [mailto:allanwind () attbi com] Sent: Monday, October 28, 2002 9:59 PM To: webappsec () securityfocus com Subject: cgi to update a datable table I am writing cgi to edit a list of values obtained from a database which on form submission is progaged back to a database. How is this usually done such that end-user can only change the values presented? For example, given the following table ("tbl"), I only want the end-user to change row 1 and 3 for a run of my cgi: id txt 1 hello 2 sweet 3 world with the form looking something like this: <input name="a" value="hello"/> <input name="b" value="world"/> (1) One solution would be to keep a record of what to expect back, e.g. (session_id, a, b) either in the cgi with the help of backend storage or in database middleware. (2) Another solution would be to keep record in a hidden field of the page itself e.g. (a, b, hmac(a+b, secret)) If the value of id is interesting, a and b could be unique values that map to the real ids. /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
Current thread:
- cgi to update a datable table Allan Wind (Oct 28)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- Re: cgi to update a datable table Allan Wind (Oct 29)
- Message not available
- Re: cgi to update a datable table Allan Wind (Oct 29)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- <Possible follow-ups>
- RE: cgi to update a datable table Shields, Larry (Oct 29)