Gossamer Forum
(Advanced Search)
for
Home : Products : DBMan : Customization :

Security risk in hidden fields?

Oct 10, 1999, 4:49 AM
bboru
Novice (47 posts)
Oct 10, 1999, 4:49 AM
Post #1 of 4
Views: 1362
Shortcut
Quote Reply
Security risk in hidden fields?
I have several hidden fields as part of the add and modify forms for users with add/mod permissions. I don't want them to have access to them, but they're there because that seems to be the only way I can a) pass the default value for the field into the record, or b) have the add/modify validate when the db.cfg specifies 'not null' for that field.

I'm wondering if there's the risk the user could pass values for those fields via the url.

Thanks.
-Brian
Oct 11, 1999, 9:26 PM
Eliot
Deleted
Oct 11, 1999, 9:26 PM
Post #2 of 4
Views: 1309
Shortcut
Quote Reply
Re: Security risk in hidden fields? In reply to
Well, anyone could "access" data by adding arguments in the query string and add values that are opposite of the ones in the hidden fields. To ensure that your database file does not become corrupted, you should add a few sub-routine in your db.cgi file that checks your domain before allowing people to access the add, modify, and delete forms. If you want the codes, let me know.

Regards,

------------------
Eliot Lee
Founder and Editor
Anthro TECH, L.L.C
http://www.anthrotech.com/
info@anthrotech.com
==========================
Coconino Community College
http://www.coco.cc.az.us/
Web Technology
Coordinator
elee@coco.cc.az.us
Oct 12, 1999, 4:28 PM
bboru
Novice (47 posts)
Oct 12, 1999, 4:28 PM
Post #3 of 4
Views: 1319
Shortcut
Quote Reply
Re: Security risk in hidden fields? In reply to
Actually this db won't be accessible to the general public; it will be password-protected. However, there is the small chance that someone who does have access could alter the hidden field in their own record and thereby affect, in this case, the amount paid to date. I'm just trying to get a sense of how likely or unlikely it would be that an unscrupulous but savvy person could do this.

Or, better yet, is there a way to limit modifications to specific fields, yet have the values of those fields display (along with any default values) to the user? The way I'm doing this now is to have the html_record_form display some fields as hidden or not based on whether there are admin permissions. The default permissions allow modification, however, and I like having the restricted fields displayed to the default user in the html_record. Do I make sense?
Thanks for the response.

[This message has been edited by bboru (edited October 12, 1999).]

[This message has been edited by bboru (edited October 12, 1999).]
Oct 17, 1999, 2:34 AM
JPDeni
Veteran / Moderator (8669 posts)
Oct 17, 1999, 2:34 AM
Post #4 of 4
Views: 1315
Shortcut
Quote Reply
Re: Security risk in hidden fields? In reply to
You could add code to sub modify_record which would prevent new data from overwriting old data in certain fields. Then it wouldn't matter if someone had gone through a "back door" to change a hidden field.


------------------
JPD