Re: [nyphp-talk] Not-so-subtle attack on PHP

Fri, 28 Sep 2007 13:22:56 -0700 

John Campbell wrote:

That makes sense to me, I have never considered using eleventy
thousand views.  Is managing all of those views a problem?  Do you
create the views on the fly, or are they "fixed" when you create the
new user account?  How do you alter the views?


no no no no no no no.


If the server supports row-level security, all users access the table 
itself.  User A, with full powers, says:


SELECT * FROM examples

and sees:

COLUMN 1     |   COLUMN 2    |   USER_ID
-------------+---------------+--------------
Value xxxx   |  Value zzzz   |  Joe
abc-123      |  xyz-abc      |  Joe
tuscon       |  texas        |  Mary


When user Joe comes along, he issues exactly the same query, but he sees 
this:


COLUMN 1     |   COLUMN 2    |   USER_ID
-------------+---------------+--------------
Value xxxx   |  Value zzzz   |  Joe
abc-123      |  xyz-abc      |  Joe



The column-level is the same.  Let's say Joe was not allowed to see 
Column 2.  So joe says:


SELECT * FROM examples

he gets as his result:

COLUMN 1     |    USER_ID
-------------+--------------
Value xxxx   |    Joe
abc-123      |    Joe



You also need to know something about the concept of security roles or 
groups.  Joe is a member of a group, perhaps named "public", and the 
security assignment is made to the group, not to the user. 

The sad fact is that most servers do not support this directly, so you 
fake it out by creating one view per meaningful security definition.  In 
the most complicated Andromeda app a particular table has 4 different 
views for 200 users.  The framework then asks the server which view a 
particular user should use.  That particular view gives the effects 
described above.  If they try to user a different view they are denied 
access.//




_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

  



--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php






















					Reply via email to