Posted by Rik on 11/07/20 11:45

Oli Filth wrote:
>>>>> The problem is if I'm a nasty guy I just write my own form and
>>>>> delete any record I want (since I'm auth'd) by just sending
>>>>> another id.
>>>> in your database, add a column called "keystring" and index it.
>>>> populate
>>>> it with 18 characters or so (write a PHP function that does this
>>>> at the same time you enter the info in the database). So, this
>>>> 'keystring' for record 1 might be '9jfhdsufs8ywre' while record 2
>>>> might be 'agsadgiwqegiqw'.
>>> It's the idea I have, but I need a to find a way to do this with an
>>> absolutly unique "keystring" (md5*/sha1??) to avoid duplicate (may
>>> be extremely rare, but this is the kind of bug you don't want to
>>> hunt one day ;-) ...)
>> You could define the keystring column as a unique index. If on your
>> first insert you get back an error (implying a duplicate), then you
>> can just modify the keystring and insert again. Repeat until
>> success!
>>
>> Of course, if this is the method you go for, then using some sort of
>> hash is redundant; you might as well just generate random integers or
>> strings of a suitable length.
> Integers are probably better, because it will take less work for the
> DB
> to index them.

Instead of trying again and again to insert the record (although it would be
rare to have duplicates, depending on length), why not combine the an
autoincremented index & a key/hash/whatever? On deletion, both would have to
be given: duplicate key's are not a problem, because indexes are guarenteed
unique... Less time in script, but wether it's faster in de DB I have no
idea: you've got a nice small integer as unique number which can be found
very quickly, but you'd have to check 2 fields....

DELETE FROM table WHERE
id=some_validated_input AND
key=other_validated_input


Advantages are that every insertion works, "key"-length can be considarably
shorter (unless you're afraid for brute-force attacks..) and the unique
index/primary key has a logical value.

Grtz,

--
Rik Wasmus

• Next in forum: Re: Testing if two fields have data in them
• Prev in forum: Re: Webservice returns XML_Parser: not well-formed
• Thread view: Re: Safely deleting a db record with php

[Reply to this message]