Up front it sounds like a good option. However, my
first thought is, entering another encrypted id just
puts me back to the same problem. How easy would it
be for someone to break the encryption algorithm ? My
guess is that it would be easy.
Stuart
--- Jasper Howard <[EMAIL PROTECTED]> wrote:
See my response interspersed:
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
> You should always avoid passing Record IDs through
> URL parameters.
> Use form Hidden fields instead!
I agree. Even as someone with limited experience.
That is why I'm trying to figure out the right way to
do it. The r
Execuse me, i know i am not putting my question in right mail forum but i
trust that many of you can give me the right answer. also request you to
kindly give me email add. of mailing list where this type question should be
put up.
i am using
session_cache_limiter("public");
in one of my webpages
1-So I'm going to ask, how does PHP stop a URL from
being changed ? Are there specific functions that
block that type of activity ?
I said :" I personaly dont recommand using url parameters for
passing record ids, i'd rather use hidden inputs,
sessions, or even cookies but never URI
querystrin
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
You should always avoid passing Record IDs through
URL parameters.
Use form Hidden fields instead!
Hidden form fields are still passed in the URL unless you're using a POST
method for your form. It doesn't matt
Hi Guys
Just to jump in here. I really need to disagree with any method of hiding
the 'record id'
How is hiding the record ID in the hidden input any safer than in the
URL...simple answer: it isn't...it will prevent the unsophisticated user
from changing the value, but its not even challenge to
See response interspersed:
--- Bastien Koert <[EMAIL PROTECTED]> wrote:
> To be entirely honest, there is no real reason not
> to use the url to pass data, IF the data is not
> sensitive. For sensitive data, sessions are the
> best thing to use. HIdden fields are good only to
> keep the users fr
I agree with John Holmes.
It's all the matter of obfuscating in this case.
The real deal & structure is to have a set of permission checking!
This is where ACL comes into play. But I asume ur app is not that of a
big one for u to make a set of permissions based actions and gui's. So
staticaly ju
It's really hard to tell what you mean by, "For whatever reason I can not
use session only here. It does not return the correct record from the table.
Maybe that doesn't make anysense." without looking at the code you have.
However, the session does not, itself, actually return any of your data. T
ACL ?? Is that Account Control Language ?
Maybe that is something I should use.
Stuart
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
> I agree with John Holmes.
> It's all the matter of obfuscating in this case.
>
> The real deal & structure is to have a set of
> permission checking!
> This is w
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
For whatever reason I can not use session only here.
It does not return the correct record from the table.
Don't say that you cannot use sessions, just say that you haven't figured
out how to correctly use them, yet.
Maybe that doesn't make anysense.
Ok, so you can't store the record id in the session, no problem. Assuming
you store the userid in a session, you can pass the record id in the hidden
field.
Then when retreiving the data, after validating the record_num
How to validate:
If you know that the record_is id only numeric, then check
From: "Bastien Koert" <[EMAIL PROTECTED]>
You can also validate the IP of the user for the session. Since many
people are still on dialup, they do not have a static IP and therefore its
of little value to store...but it should remain the same for the session.
IP addresses are pretty much worthles
HELLO FRIENDS
I NEED KNOW HOW CAN CONNECT PHP WHIT A FREE TABLE IN FOXPRO
I HAVE ADODB FOR PHP, BUT I DON`T KNOW NOW PROGRAMER
PLEASE, HELP ME
I NEED CODE SAMPLE
AttE :-Eduardo Cortés
C.Ingeniero
Informático
--- John Holmes <[EMAIL PROTECTED]> wrote:
> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
> > For whatever reason I can not use session only
> here.
> > It does not return the correct record from the
> table.
>
> Don't say that you cannot use sessions, just say
> that you haven't figured
> out
When I
> request "update.php?recordID=2", you should be doing
> something like "SELECT
> * FROM Record_Table WHERE recordID = 2 AND userID =
> 3", which will not
> return any rows.
Okay that makes sense I will try that. Though I'd
imagine the SQL will need to be different since I
could be dealing
Thats why I said CAN, since it is unreliable
Bastien
From: "John Holmes" <[EMAIL PROTECTED]>
To: "Bastien Koert"
<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
CC: <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004
From: "Bastien Koert" <[EMAIL PROTECTED]>
You can also validate the IP of the user for the session. Since many
people are still on dialup, they do not have a static IP and therefore
its of little value to store...but it should remain the same for the
session.
IP addresses are pretty much worthle
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I change either of those variables in URL
no record is returned.
Did I finally get this right ?
Stuart
--- Bast
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I change either of those variables in URL
no record is returned.
Did I fin
Sounds about right...I would use the session variable for the user name so
that is not even present...but that is the result that you want...
Bastien
From: Stuart Felenstein <[EMAIL PROTECTED]>
To: Bastien Koert <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
[EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [
Nope, can't get to any other record. One would have
to match both userid and recordID to get a hit.
Perhaps now I should put this into a form and send it
via hidden fields , for another layer of protection.
Stuart
--- John Holmes <[EMAIL PROTECTED]> wrote:
> From: "Stuart Felenstein" <[EMAIL P
No, No, NO!
The user id should not be in the hidden elements in the form.
You need to store that in a session variable for the duration of that user's
session. Otherwise they can try to hack by changing the combination until
they hit another valid record.
Bastien
From: Stuart Felenstein <[EMAIL
The following excerpt is a result found on the internet.
I am not the author of that text, but as it might help, here you go:
>Here's the first part:
>
>http://php.weblogs.com/com_php
>
>Using COM from PHP to get to the ADO object model. ADO is an
>abstraction of OLE DB funtionality.
>
>The second
> Hi all,
>
> Anyone know how to access the optional COMMENT you can add to columns
> during table creation?
>
If you don't expect 20 diffrent answers for 20 different databases you
should be more specific. Nobody knows which database do you use.
/Georg
--
PHP Database Mailing List (http://
the encryption is random, there is no algorithm to break it, I'm not going
to argue against any of the other problems with this system, but no one is
going to be able to break this algorithm, its 14 characters of lowercase and
upper case letters and numbers, in random order.
-
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
> Ur 2nd question.. Okay .. how would u use the hidden
> inputs? with
> hidden inputs.. I mean the form hidden elements
> ( name="id" value="recordID" />) so instead of having
> hyperlinks
> pointing to the form page use a form with submit
> btns that pos
Okay, I can make that change.
Stuart
--- Bastien Koert <[EMAIL PROTECTED]> wrote:
>
> No, No, NO!
>
> The user id should not be in the hidden elements in
> the form.
>
> You need to store that in a session variable for the
> duration of that user's
> session. Otherwise they can try to hack by
are you using native encryption from the database ?
Stuart
--- [EMAIL PROTECTED] wrote:
> the encryption is random, there is no algorithm to
> break it, I'm not going
> to argue against any of the other problems with this
> system, but no one is
> going to be able to break this algorithm, its 14
From: <[EMAIL PROTECTED]>
the encryption is random, there is no algorithm to break it, I'm not going
to argue against any of the other problems with this system, but no one is
going to be able to break this algorithm, its 14 characters of lowercase
and
upper case letters and numbers, in random ord
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
I still want to pass the id's through hidden.
So the html in the first form looks like this:
Form is set to post.
Why would you pass UserID in the form when you turn around and pull it from
the session in your code? It's a waste.
Also, with the abov
Ok guys, I think you're beating a dead horse, the idea is understood,
and there are quite a few ways to do what is needed, there have been
like 30 posts on this...
On Tue, 21 Sep 2004 14:12:43 -0400, John Holmes
<[EMAIL PROTECTED]> wrote:
> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
>
> > I s
Hi all, I run this instruction on Postgres psql tool:
grant all privileges on database test to newuser;
The goal is to give all privileges to newuser(user that is not a superuser)
on test, the owner is postgres but I need to give this other user
privileges.
The problem is, after run this instructio
Hi,
I am trying to use the PHP in windows, IIS environment to access an Oracle database. I
need to have the php_oci8.dll and php_oracle.dll modules.
>From where should download them ?
Please help!!!
Thanks,
they are in the extensions folder in the php folder.
From: "Saeid Banaei" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [PHP-DB] Where can I download the php_oci8.dll and ph_oracle.dll ?
Date: Tue, 21 Sep 2004 14:30:10 -0400
Hi,
I am trying to use the PHP in windows, IIS environment to acce
35 matches
Mail list logo
