RE: cgi to update a datable table

        Allan had already accounted for that in his example, as he described
that he would use an HMAC to prevent tampering with the parameters. Unless
someone breaks/steals your secret key, they would not be able to tamper with
the name/value pairs. (Well, they could tamper with them, but to no real
effect.)

-Larry Shields, CISSP

-----Original Message-----
From: Blake Frantz [mailto:blake_at_mc.net]
Sent: Tuesday, October 29, 2002 11:05 AM
To: 'Allan Wind'; webappsec_at_securityfocus.com
Subject: RE: cgi to update a datable table

Using hidden fields is not a very good solution. The end user could
simply construct their own html document and modify the hidden values to
their liking.
.
.
.

-----Original Message-----
From: Allan Wind [mailto:allanwind_at_attbi.com]
Sent: Monday, October 28, 2002 9:59 PM
To: webappsec_at_securityfocus.com
Subject: cgi to update a datable table

I am writing cgi to edit a list of values obtained from a database which
on form submission is progaged back to a database. How is this usually
done such that end-user can only change the values presented?

For example, given the following table ("tbl"), I only want the end-user
to change row 1 and 3 for a run of my cgi:

        id txt

        1 hello
        2 sweet
        3 world

with the form looking something like this:

        <input name="a" value="hello"/>
        <input name="b" value="world"/>

(1) One solution would be to keep a record of what to expect back, e.g.
(session_id, a, b) either in the cgi with the help of backend storage or
in database middleware. (2) Another solution would be to keep record in
a hidden field of the page itself e.g. (a, b, hmac(a+b, secret))

If the value of id is interesting, a and b could be unique values that
map to the real ids.

/Allan

-- 
Allan Wind
P.O. Box 2022
Woburn, MA 01888-0022
USA