WebApp Sec mailing list archives
cgi to update a datable table
From: allanwind () attbi com (Allan Wind)
Date: Mon, 28 Oct 2002 22:58:54 -0500
I am writing cgi to edit a list of values obtained from a database which
on form submission is progaged back to a database. How is this usually
done such that end-user can only change the values presented?
For example, given the following table ("tbl"), I only want the end-user
to change row 1 and 3 for a run of my cgi:
id txt
1 hello
2 sweet
3 world
with the form looking something like this:
<input name="a" value="hello"/>
<input name="b" value="world"/>
(1) One solution would be to keep a record of what to expect back, e.g.
(session_id, a, b) either in the cgi with the help of backend storage or
in database middleware. (2) Another solution would be to keep record in
a hidden field of the page itself e.g. (a, b, hmac(a+b, secret))
If the value of id is interesting, a and b could be unique values that
map to the real ids.
/Allan
--
Allan Wind
P.O. Box 2022
Woburn, MA 01888-0022
USA
Attachment:
_bin
Description:
Current thread:
- cgi to update a datable table Allan Wind (Oct 28)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- Re: cgi to update a datable table Allan Wind (Oct 29)
- Message not available
- Re: cgi to update a datable table Allan Wind (Oct 29)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- <Possible follow-ups>
- RE: cgi to update a datable table Shields, Larry (Oct 29)