RE: [Ldsoss] Scout Tracking

Steven H. McCown Thu, 31 Aug 2006 05:54:48 -0700

There are some more serious security implications with your choice of tools (e.g., injections). Far from the definitive word, these are hotly debated, demonstrated, and refuted. Here are a couple of blog articles that you should research and consider re PHP:

- PHP Insecurity: Failure of Leadership (http://www.greebo.net/?p=320)

- PHP Security: Dumb Users or Dumb APIs? (http://www.sitepoint.com/blogs/2006/01/24/php-security-dumb-users-or-dumb-apis/)

This is from last year’s Blackhat, but it’s fairly new and still relevant:

- Beefed up OWASP 2.0 introduced at BlackHat (http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1111443,00.html) and (http://www.owasp.org/index.php/Main_Page)

How to harden this? It’s a moving target. PHP6? Until it is released and then I’ll say PHP7… ;-)

The key is that if you don’t *really* have to be web-accessible, then don’t.

Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oscar Schultz
Sent: Friday, August 18, 2006 5:48 PM
To: [EMAIL PROTECTED]; LDS Open Source Software
Subject: Re: [Ldsoss] Scout Tracking

you ever get the table definitions done as SQL?

Hello list,

Between scout camp, yw camp and family reunions I done some but not as much as I wanted to the tracker.

Below is what I currently have

The question for the list is how to make the user interface secure.

The tools I have selected are mysql, php5, pear, apache2, and linux as the base os.

The application will run as a web server (server side code rather than _javascript_) and will require cookies.

I have been reading about cross-side script attacks (xss). xss looks to be a serious problem since it uses man in the middle to steal cookies.

Anyone have some ideas how to harden a web application so I can avoid design problems upfront.

thanks

oscar

create database tracker;

grant create,alter,select,insert,update,delete on tracker.* to [EMAIL PROTECTED]

use tracker;

#the table to record personal information

create table people (

record_id int(32) unsigned auto_increment,

firstname varchar (30) not null default '',

middlename varchar (30) not null default '',

lastname varchar (30) not null default '',

preferredname varchar (30) not null default '',

gender varchar (1),

birthdate varchar (2),

birthmonth varchar (3),

birthyear varchar (4),

emergency_passphrase varchar (30),

???? date

);

# the table to record personal address information

# 1 people record to many address record relationship

create table address (

record_id int(32) unsigned auto_increment,

people_record_id int(32) unsigned auto_increment,

address1 varchar (40),

address2 varchar (40),

city varchar (40),

county varchar (40),

state varchar (40),

zipcode varchar (9),

type varchar (10), # (primary, secondary, mailbox, residence, shipping, other, unknown)

date ?????

);

# the table to record personal phone information

# 1 people record to many phone record relationship

create table phone (

record_id int (32) unsigned auto_increment,

people_record_id int(32) unsigned auto_increment,

type varchar (10), # (personal cell, home, business, home2, business cell)

area_code varchar (3),

number varchar (7),

extension varchar (7).

date ?????.

);

# a table to record emergency contacts

# 1 personal to many personal relationship

create table emergency_contact

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned, #(participate)

people_record_id int (32) unsigned, #(emergency contact)

relationship varchar (32), # string

date ?????

);

# the authorization table to control access via the

# web interface

create table auth (

record_id int (32) unsigned auto_increment,

fname, #first_name

mname, #middle_name

lname, #last_name

userid,

password,

password2,

auth_level,

email,

password_start_date,

password_status,

date ?????

);

# a table to record the high level in the hierarchy

# of the award requirement, subrequirement chain

create table awards (

record_id int (32) unsigned auto_increment,

name varchar (128), #the name of the award

org_group int (32) unsigned, # link to the group record

max_age int (2) unsigned, # max age the award can be obtained

min_age int (2) unsigned, # minimum age for award

date ?????

);

# a table to record each completed award

# many awards to 1 people relationship

create table completed_awards (

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned auto_increment,

award_record_id int (32) unsigned auto_increment,

date_completed varchar (9), #ddmmmyyyy

);

# a table to record which image file relates to which person

# each file is a scanned image of the medical form

create table medical_form (

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned auto_increment,

image_record_id int (32) unsigned auto_increment,

date ?????

);

# a table to record which image file related to which person

# and event Each image is a scan of the completed doc

# many permissions to 1 person relationship

create table permission_form (

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned auto_increment,

event_record_id int (32) unsigned auto_increment,

image_record_id int (32) unsigned auto_increment,

date ?????

);

# a table to relate people to pictures

# many to many relationship

create table picture_people (

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned auto_increment,

picture_record_id int (32) unsigned auto_increment

);

# a table to record each picture and metadata about the picture

create table pictures (

record_id int (32) unsigned auto_increment,

date_of_picture ????,

location varchar (80),

description varchar (80),

filename varchar (256)

);

# a table to record each scanned image/doc

# 1 people to many images relationship

create table images (

record_id int (32) unsigned auto_increment,

filename varchar (256),

image_date ?????,

description varchar (80),

);

# a table to record event information for calandaring

create table events (

record_id int (32) unsigned auto_increment,

event_start_date ????,

event_end_date ????,

description varchar (80),

group int (32) unsigned, # (miamaids, bears, scout, priest etc)

);

# organization table - 1 organization 1 record

create table orgs (

record_id int (32) unsigned auto_increment,

name varchar (25),

description varchar (80),

abbrev varchar (8),

);

#organization groups - a table of the various groups internal to an organization

#(youth(deacon,teacher,priest,scout,cub,varsity,venture,adult)

create table groups{

record_id int (32) unsigned auto_increment,

organization_record_id - the record number of the org this group belongs to

name - name of the group

begin_age

end_age

);

#organization and people - many to many

# to be used for the importer/exporter (syncer)

record_id int (32) unsigned auto_increment,

org_record_id int (32) unsigned auto_increment,

person_record_id int (32) unsigned auto_increment,

membership_number

# journal

the person recording info

date info recorded

page

text - 1024 per page

_______________________________________________
Ldsoss mailing list
Ldsoss@lists.ldsoss.org
http://lists.ldsoss.org/mailman/listinfo/ldsoss

RE: [Ldsoss] Scout Tracking

Reply via email to