Jump to content

Updating a DB record through a website

- - - - -
Started by wim DC, Nov 18 2011 01:09 AM

  • Please log in to reply
No replies to this topic

#1
wim DC
Posted 18 November 2011 - 01:09 AM

wim DC

    Writes binary right handed and hex left handed

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 2,084 posts
  • Programming Language:Java, JavaScript, PL/SQL
  • Learning:Java
Hi there, simple situation: Updating a record in a database trough a webpage.
I put it in this part of the forum since I don't think this question is specific to php/java/.net/any server side languages.


When having something like this, the process is pretty simple, really.
User browses to edit-page. Server gets request, server goes to the database to pick up the correct record (PK comes out
of request - be it queryString or POST attribute) server gets the edit-page, fills up the inputFields with the data from
the record, and returns that page.


Concrete example: DB table: USER : name(PK), address, password (<-- let's have it plain text for simplicity :D)
So I go to the editUser page and I get a page returned from the server with record info: Wim DC, Belgium, secret(I know, passwords aren't usually send back).
With inputFields for all of this data, apart from the name which is not editable.


Here comes the problem. When the server then receives a POST request back to update the record, how can I know at the
server side that this user is not trying to update another record?
For example: if I know another user exists, say "Roger", nothing prevents me from sending a request to the server with
name parameter "Roger" - I would just be able to change someone's password.


Assume for editing the user is logged in.


* Do I NEED to store in the user's session which record he's updating as he enters the editing page?
So as soon as the server receives a request to pick up the edit page, the server will store the PK in the user's session.
And if the update data sends another name in the session, I can first check whether this user may or may not do this.
* Is there any way to not use a session for this? Maybe send a hash of the PK to the client, expect it back on the
server for updating?
* Is there a name of this "issue"? Google for 'secure edit record page' wasn't quite helpful.


Any comments on my 2 , which I think are possible, solutions are very much appreciated. Or if you have another technique...

Back to Software Security


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users



  1. CODECALL Programming Forum
  2. General Discussion
  3. Software Security
IPB skins by Skinbox