 |
 |
Find a programming school near you
php3-list | 2000051
Date: 05/10/00
- Next message: Alex Black: "[PHP3] update on oracle problem (still there and stranger...)"
- Previous message: Minh Nguyen Van: "[PHP3] SUM in query"
- In reply to: Jason: "[PHP3] security for admin pages...."
- Next in thread: Richard Lynch: "Re: [PHP3] security for admin pages...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well gosh...
That's what I do for a living ;)-
Basically you do NOT want to store anything in a cookie
OTHER than a "session id".
Use the session id to lookup the "session" in the database
and get the parameters out of there.
The session table should contain some notion like this:
1. session id
2. remote IP address - better have this one... - set UPON login
3. expires
4. golf company
5. whatever
Whenever the ADD/UPDATE/DELETE function is called it:
1. gets the user's cookie with the session ID
2. looks up the session
3. goes about its business contrained by the session parameters
Cool ?
THX
-AEF
On Wed, 10 May 2000, you wrote:
> hi all
> we are currently in the process of putting together a golf directory site
> with various other bits and pieces.....i am constructing the site with
> php/mySQL/apache combo and would like to find out more about what i think
> could be a security issue.
> what we want to do is be able to all the golf courses (we have database of
> about 3000) to be able to have access to the database only for their course
> and be able to change their details live on the web rather than emailing us
> the details and us having to do it manually!
> now the admin page is easy but what i'm not sure of is the way to make sure
> that
> they don't go and delete everyone else's entries while they are in
> there...which i think i can do by getting them to sign in with their club
> name the first time they come to our page and then create a password from
> the name of their club perhaps and then writing a cookie that will make sure
> when they come back that password will only allow them to make changes to
> their own info in the database.
> of course i suppose you could delete the entries one by one by deleting the
> cookies and going back in and deleting the clubs one by one??
> our competitors are still things manually so i think it would be great to
> have this option but do not want to breach the security of the db.
> does anyone have some suggestions pls :-)
> thanks
>
> jason
>
>
>
>
> Regards
> Jason Savidge
> IT Manager
> One Stop Entertainment
> Brisbane Australia
> www.onestopent.com.au
>
>
> --
> PHP 3 Mailing List <http://www.php.net/>
> To unsubscribe, send an empty message to php3-unsubscribe <email protected>
> To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
> To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
> To contact the list administrators, e-mail: php-list-admin <email protected>
-- "If you think the Universe is big, you should see the source code..." -Frank & Ernest-- PHP 3 Mailing List <http://www.php.net/> To unsubscribe, send an empty message to php3-unsubscribe <email protected> To subscribe to the digest, e-mail: php3-digest-subscribe <email protected> To search the mailing list archive, go to: http://www.php.net/mailsearch.php3 To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Alex Black: "[PHP3] update on oracle problem (still there and stranger...)"
- Previous message: Minh Nguyen Van: "[PHP3] SUM in query"
- In reply to: Jason: "[PHP3] security for admin pages...."
- Next in thread: Richard Lynch: "Re: [PHP3] security for admin pages...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
