Print specific values from dictionary with a specific key name
Siten0308 - Jun 20 2019 01:43 PM
How to make code run differently depending on the platform it is running on?
xarzu - Apr 05 2019 09:17 AM
How do I set a breakpoint in an attached process in visual studio
xarzu - Apr 04 2019 11:47 AM
Recent Blog Entries
Recent Status Updates
- Managed C++
- Visual Basic 4 / 5 / 6
- linked list
- hello world
Updating a DB record through a website
Posted 18 November 2011 - 01:09 AM
I put it in this part of the forum since I don't think this question is specific to php/java/.net/any server side languages.
When having something like this, the process is pretty simple, really.
User browses to edit-page. Server gets request, server goes to the database to pick up the correct record (PK comes out
of request - be it queryString or POST attribute) server gets the edit-page, fills up the inputFields with the data from
the record, and returns that page.
Concrete example: DB table: USER : name(PK), address, password (<-- let's have it plain text for simplicity )
So I go to the editUser page and I get a page returned from the server with record info: Wim DC, Belgium, secret(I know, passwords aren't usually send back).
With inputFields for all of this data, apart from the name which is not editable.
Here comes the problem. When the server then receives a POST request back to update the record, how can I know at the
server side that this user is not trying to update another record?
For example: if I know another user exists, say "Roger", nothing prevents me from sending a request to the server with
name parameter "Roger" - I would just be able to change someone's password.
Assume for editing the user is logged in.
* Do I NEED to store in the user's session which record he's updating as he enters the editing page?
So as soon as the server receives a request to pick up the edit page, the server will store the PK in the user's session.
And if the update data sends another name in the session, I can first check whether this user may or may not do this.
* Is there any way to not use a session for this? Maybe send a hash of the PK to the client, expect it back on the
server for updating?
* Is there a name of this "issue"? Google for 'secure edit record page' wasn't quite helpful.
Any comments on my 2 , which I think are possible, solutions are very much appreciated. Or if you have another technique...
Posted 20 June 2012 - 02:14 PM
Or just a record update according to a username (from a TextBox f.e)?
If its the 2nd option, are you after login? or before?
--Edit: Or maybe you refer to an external http request?
Posted 21 June 2012 - 04:08 AM
in that case you might send, as a parameter, some kind of record ID, not PK, i don't like that, but if the record has any timestamp, or a DATETIME field that you can convert to to timestamp and then mask it a little for not being obvious,
for example use and extra param like , i dunno, caster= and use as value birthdate as timestamp plus some ofuscation as the value, and in the saving routine check that the stored value for birthdate field of the record you want to update is equal to the caster parameter (that you send back) so if it checks you do the update
remember that suggestion is in regards of not using sessions, logins, etc, you can always manage things better applying the security based on sessions.