> > 1) If you have a page which will update field A, but have > > field B as hidden, > > and while the user on this screen is on the phone, someone > > else updates > > field B, when the user saves his record, the other guy's > > field B will be > > overwritten. > > You have this race condition with the fields you are allowing > to be changed as well. It's a well known problem, with > several solutions. It's not jsut a problem with hidden fields.
Oh, absolutely. Didn't try to imply otherwise, but in this case, it's really bad. It's the back door into the whole app. Yes, youre letting the user update everything regardless of state, but because of putting the current data into hidden fields, youre ALSO letting him see what the fields are to update (including their current values, regardless of what he's supposed to be able to see). So even if you checked the state before you updated everything from what the html had (why you would do this, and not use the current database state, I don't know), you'd still be letting the user see everything. By not checking at all, youre now potentially giving him complete front end access to your database.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
