RE: cgi to update a datable table

["Shields, Larry" <Larry.Shields () FMR COM>]

        Allan had already accounted for that in his example, as he described
that he would use an HMAC to prevent tampering with the parameters.  Unless
someone breaks/steals your secret key, they would not be able to tamper with
the name/value pairs.  (Well, they could tamper with them, but to no real
effect.)

-Larry Shields, CISSP

-----Original Message-----
From: Blake Frantz [mailto:blake () mc net]
Sent: Tuesday, October 29, 2002 11:05 AM
To: 'Allan Wind'; webappsec () securityfocus com
Subject: RE: cgi to update a datable table



Using hidden fields is not a very good solution.  The end user could
simply construct their own html document and modify the hidden values to
their liking.
.
.
.

-----Original Message-----
From: Allan Wind [mailto:allanwind () attbi com] 
Sent: Monday, October 28, 2002 9:59 PM
To: webappsec () securityfocus com
Subject: cgi to update a datable table


I am writing cgi to edit a list of values obtained from a database which
on form submission is progaged back to a database.  How is this usually
done such that end-user can only change the values presented?

For example, given the following table ("tbl"), I only want the end-user
to change row 1 and 3 for a run of my cgi:

        id      txt

        1       hello
        2       sweet
        3       world

with the form looking something like this:

        <input name="a" value="hello"/>
        <input name="b" value="world"/>

(1) One solution would be to keep a record of what to expect back, e.g.
(session_id, a, b) either in the cgi with the help of backend storage or
in database middleware.  (2) Another solution would be to keep record in
a hidden field of the page itself e.g. (a, b, hmac(a+b, secret))

If the value of id is interesting, a and b could be unique values that
map to the real ids.


/Allan
-- 
Allan Wind
P.O. Box 2022
Woburn, MA 01888-0022
USA