Using hidden fields is not a very good solution. The end user could
simply construct their own html document and modify the hidden values to
their liking.
Have you considered separating the data into different tables? One with
write permissions, one with read only?
Or..
Add a third column that indicates access levels required to modify that
row. For example:
Id txt access req.
1 bob user
2 sue admin
3 jon user
Or..
Add a third column that toggles the volatile state of the row. For
example:
Prior to serving end users with modification page
Id txt volatile
1 bob 0
2 sue 0
3 jon 0
After serving end user with modification page
Id txt volatile
1 bob 1
2 sue 0
3 jon 1
After modifications have been performed
Id txt volatile
1 Bob 0
2 sue 0
3 Jon 0
Have your cgi check the volatile state before it updates.
Hope this helps.
Blake
-----Original Message-----
From: Allan Wind [mailto:allanwind_at_attbi.com]
Sent: Monday, October 28, 2002 9:59 PM
To: webappsec_at_securityfocus.com
Subject: cgi to update a datable table
I am writing cgi to edit a list of values obtained from a database which
on form submission is progaged back to a database. How is this usually
done such that end-user can only change the values presented?
For example, given the following table ("tbl"), I only want the end-user
to change row 1 and 3 for a run of my cgi:
id txt
1 hello
2 sweet
3 world
with the form looking something like this:
<input name="a" value="hello"/>
<input name="b" value="world"/>
(1) One solution would be to keep a record of what to expect back, e.g.
(session_id, a, b) either in the cgi with the help of backend storage or
in database middleware. (2) Another solution would be to keep record in
a hidden field of the page itself e.g. (a, b, hmac(a+b, secret))
If the value of id is interesting, a and b could be unique values that
map to the real ids.
/Allan
--
Allan Wind
P.O. Box 2022
Woburn, MA 01888-0022
USA
Received on Oct 29 2002
Intro
