Thats what I thought. Manually deleteing them does
not exactly bring a smile to my face but it is feasable for us. But what about
larger companies with like a gazillion records. Unless your telling me that they
just have tons of minimum wage people that all they do all day is delete
records.
A.
----- Original Message -----
Sent: Tuesday, August 12, 2003 10:54
AM
Subject: RE: [KCFusion] security
question
Adaryl:
Yes, if a person has IEBoster (http://www.paessler.com/IEB) running
on their machine, hidden form fields are just a right-click away. You'd
be better off putting a "ACTIVE" field in any table that you are going to
allow users to delete from. That could inactivate the record, then you
could manually review the deletes before committing any of them. That's
my 2 cents.
Kory
Im sorry I was in a hurry and should have
explained this better. For the first time I am faced with allowing users to
delete info from a database. I am trying to come up with a save method for
doing that. In other words I don't want people to just type random numbers
in a query string and start erasing stuff. Most of the measures I have come
up with so far are easily defeated. I had considered putting the primary key
of the tuple to be deleted in a hidden form field but if you can alter
the info sent in a post request (and I think I read somewhere that you
could) then that measure is kinda lame too. the best I've got so far is that
the user can only delete those tuples that are related to their
login.
A.
----- Original Message -----
Sent: Tuesday, August 12, 2003 11:33
AM
Subject: RE: [KCFusion] security
question
I don't know of a way to say make IE send different request
headers, but if you're trying to test something, wouldn't cfpost
work?
Is is possible to alter the information
that is sent in the headers of a POST request?
A.
|