Posted by Jerry Stuckle on 03/12/07 04:26

dino d. wrote:
>> But the question begs - why worry about exposing the id? It's only an
>> identifier to a row, and should not have any meaning of its own. If
>> you're trying to obscure it for security reasons, it won't work.
>> Obscurity is no security. Rather you need to have other means of
>> verifying if this person is authorized to edit the row.
>>
>
>
> ok, sorry for the top posting, by "top posting" you mean writing your
> reply at the top, right? back to the question - i don't want to give
> the user an opportunity to monkey around with the html somehow, and
> send back a bogus response via a POST variable. I want to ensure 2
> things- first, that the person is authorized to edit this row, and
> second, that this is the row that he or she is authorized to edit. It
> sounds like sessions are the way to go with some kind of encyrption.
> Is that the generally accepted way of doing this?
>
> Thanks again,
> Dino
>

Yep, that's right. This one is much better.

And there is no way you can prevent the user from monkeying around with
the html.

For instance - I can display the html source, copy it to notepad and
edit it to my hearts content. Save it on my own machine and load it in
to the browser. When I submit it it will still go to your site. The
whole think may take less than two minutes.

Yes, you can save the data in the session. But Gordon has some very
valid comments on why you need to determine if they can edit the row at
the time the user submits the edit request.

Any dangerous operation (i.e. altering a database entry) needs to be
authorized at the time of the submission.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]