Thats where I started. I was doing it via java script so I could ask the
user if they really wanted to delete. But when I passed the function the
encrypted value it did not like it for some reason. It was rendered all
funny. The function looks like this
<script language="JavaScript">
function check(entry){
if (confirm("This will delete this entry. Proceed?")){
document.location = "foo.cfm?entry=" + entry;
}
else{}
}
</script>
Then I would call it with
<a href="javascript:check(#Encrypt(primaryKey, 'notTheRealKey')#">Delete</a>
Which in turn comes out as
<a href="javascript:check("(%WE">Delete</a>
Totally breaks my code.
A.
----- Original Message -----
From: "Bruce Dunwiddie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 12, 2003 11:57 AM
Subject: RE: [KCFusion] security question
> Well the checking in the database to make sure that the user is allowed to
> delete that record is a good step to leave in. As for the rest, I'd
probably
> recommend passing an encrypted value of the record to delete along with
the
> record id itself, so you can verify that they haven't just changed the id,
> and it won't matter if they can get access to the hidden encrypted value
> because they won't be able to submit the proper encrypted version to pass
> the validation.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of Kory Bakken
> Sent: Tuesday, August 12, 2003 9:54 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [KCFusion] security question
>
>
> Adaryl:
>
> Yes, if a person has IEBoster (http:// www.paessler.com/IEB
> <http://www.paessler.com/IEB> ) running on their machine, hidden form
> fields are just a right-click away. You'd be better off putting a
"ACTIVE"
> field in any table that you are going to allow users to delete from. That
> could inactivate the record, then you could manually review the deletes
> before committing any of them. That's my 2 cents.
>
> Kory
>
> -----Original Message-----
> From: Adaryl Wakefield [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2003 10:48 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [KCFusion] security question
>
>
> Im sorry I was in a hurry and should have explained this better. For the
> first time I am faced with allowing users to delete info from a database.
I
> am trying to come up with a save method for doing that. In other words I
> don't want people to just type random numbers in a query string and start
> erasing stuff. Most of the measures I have come up with so far are easily
> defeated. I had considered putting the primary key of the tuple to be
> deleted in a hidden form field but if you can alter the info sent in a
post
> request (and I think I read somewhere that you could) then that measure is
> kinda lame too. the best I've got so far is that the user can only delete
> those tuples that are related to their login.
> A.
>
> ----- Original Message -----
> From: Bruce Dunwiddie <mailto:[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Sent: Tuesday, August 12, 2003 11:33 AM
> Subject: RE: [KCFusion] security question
>
> I don't know of a way to say make IE send different request headers, but
if
> you're trying to test something, wouldn't cfpost work?
>
> -----Original Message-----
> From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [
> mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]On
> Behalf Of Adaryl Wakefield
> Sent: Monday, August 11, 2003 1:44 PM
> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Subject: [KCFusion] security question
>
>
> Is is possible to alter the information that is sent in the headers of a
> POST request?
> A.
>
>
______________________________________________________________________
The KCFusion.org list and website is hosted by Humankind Systems, Inc.
List Archives........ http://www.mail-archive.com/[EMAIL PROTECTED]
Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED]
To Subscribe.................... mailto:[EMAIL PROTECTED]
To Unsubscribe................ mailto:[EMAIL PROTECTED]
