Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Updating a DB record through a website


  • Please log in to reply
2 replies to this topic

#1 wim DC

wim DC

    Roar

  • Expert Member
  • PipPipPipPipPipPipPipPip
  • 2681 posts
  • Programming Language:Java, JavaScript, PL/SQL
  • Learning:Python

Posted 18 November 2011 - 01:09 AM

Hi there, simple situation: Updating a record in a database trough a webpage.
I put it in this part of the forum since I don't think this question is specific to php/java/.net/any server side languages.


When having something like this, the process is pretty simple, really.
User browses to edit-page. Server gets request, server goes to the database to pick up the correct record (PK comes out
of request - be it queryString or POST attribute) server gets the edit-page, fills up the inputFields with the data from
the record, and returns that page.


Concrete example: DB table: USER : name(PK), address, password (<-- let's have it plain text for simplicity :D)
So I go to the editUser page and I get a page returned from the server with record info: Wim DC, Belgium, secret(I know, passwords aren't usually send back).
With inputFields for all of this data, apart from the name which is not editable.


Here comes the problem. When the server then receives a POST request back to update the record, how can I know at the
server side that this user is not trying to update another record?
For example: if I know another user exists, say "Roger", nothing prevents me from sending a request to the server with
name parameter "Roger" - I would just be able to change someone's password.


Assume for editing the user is logged in.


* Do I NEED to store in the user's session which record he's updating as he enters the editing page?
So as soon as the server receives a request to pick up the edit page, the server will store the PK in the user's session.
And if the update data sends another name in the session, I can first check whether this user may or may not do this.
* Is there any way to not use a session for this? Maybe send a hash of the PK to the client, expect it back on the
server for updating?
* Is there a name of this "issue"? Google for 'secure edit record page' wasn't quite helpful.


Any comments on my 2 , which I think are possible, solutions are very much appreciated. Or if you have another technique...
  • 0

#2 Yonatan

Yonatan

    CC Regular

  • Member
  • PipPipPip
  • 37 posts
  • Location:Israel
  • Programming Language:C, Java, C++, C#, JavaScript, PL/SQL, Visual Basic .NET
  • Learning:Python, JavaScript

Posted 20 June 2012 - 02:14 PM

Do you mean something like SQL-Injection?

Or just a record update according to a username (from a TextBox f.e)?

If its the 2nd option, are you after login? or before?

--Edit: Or maybe you refer to an external http request?
  • 0

#3 BlackRabbit

BlackRabbit

    CodeCall Legend

  • Expert Member
  • PipPipPipPipPipPipPipPip
  • 3871 posts
  • Location:Argentina
  • Programming Language:C, C++, C#, PHP, JavaScript, Transact-SQL, Bash, Others
  • Learning:Java, Others

Posted 21 June 2012 - 04:08 AM

There is many cases, i will focus on creativity and that you don't want to use sessions

in that case you might send, as a parameter, some kind of record ID, not PK, i don't like that, but if the record has any timestamp, or a DATETIME field that you can convert to to timestamp and then mask it a little for not being obvious,
for example use and extra param like , i dunno, caster= and use as value birthdate as timestamp plus some ofuscation as the value, and in the saving routine check that the stored value for birthdate field of the record you want to update is equal to the caster parameter (that you send back) so if it checks you do the update

remember that suggestion is in regards of not using sessions, logins, etc, you can always manage things better applying the security based on sessions.
  • 0




Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download