WebApp Sec mailing list archives
RE: cgi to update a datable table
From: "Shields, Larry" <Larry.Shields () FMR COM>
Date: Tue, 29 Oct 2002 13:34:03 -0500
Allan had already accounted for that in his example, as he described that he would use an HMAC to prevent tampering with the parameters. Unless someone breaks/steals your secret key, they would not be able to tamper with the name/value pairs. (Well, they could tamper with them, but to no real effect.) -Larry Shields, CISSP -----Original Message----- From: Blake Frantz [mailto:blake () mc net] Sent: Tuesday, October 29, 2002 11:05 AM To: 'Allan Wind'; webappsec () securityfocus com Subject: RE: cgi to update a datable table Using hidden fields is not a very good solution. The end user could simply construct their own html document and modify the hidden values to their liking. . . . -----Original Message----- From: Allan Wind [mailto:allanwind () attbi com] Sent: Monday, October 28, 2002 9:59 PM To: webappsec () securityfocus com Subject: cgi to update a datable table I am writing cgi to edit a list of values obtained from a database which on form submission is progaged back to a database. How is this usually done such that end-user can only change the values presented? For example, given the following table ("tbl"), I only want the end-user to change row 1 and 3 for a run of my cgi: id txt 1 hello 2 sweet 3 world with the form looking something like this: <input name="a" value="hello"/> <input name="b" value="world"/> (1) One solution would be to keep a record of what to expect back, e.g. (session_id, a, b) either in the cgi with the help of backend storage or in database middleware. (2) Another solution would be to keep record in a hidden field of the page itself e.g. (a, b, hmac(a+b, secret)) If the value of id is interesting, a and b could be unique values that map to the real ids. /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
Current thread:
- cgi to update a datable table Allan Wind (Oct 28)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- Re: cgi to update a datable table Allan Wind (Oct 29)
- Message not available
- Re: cgi to update a datable table Allan Wind (Oct 29)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- <Possible follow-ups>
- RE: cgi to update a datable table Shields, Larry (Oct 29)