WebApp Sec mailing list archives
Re: cgi to update a datable table
From: allanwind () attbi com (Allan Wind)
Date: Tue, 29 Oct 2002 15:35:58 -0500
On 2002-10-29 13:31:52, Kevin Spett wrote:
I'm not exactly sure what the original poster was asking for, but...Have you considered separating the data into different tables? One with write permissions, one with read only?Most database systems feature things like per-column permissions, etc. You wouldn't need two tables.
True, but I do not think you really want to fiddle with database users and permissions. Say, the application is a corporate address book and you only want the owner of the entry and a group of users to be able to change an entry. You can also do this sort of thing with stored procedures, and in fact I quite a lot of fun implementing row level access control based on the user logged in. I really want permission to be transient and tied to a form request (or said differently, a given session may be allowed to change row 1 now, but only for 30 min or till user submits this form). There most be a simple or widely method to deal with this sort of thing, otherwise it would be trivial to overwrite all the data in a given table as long as you have write access to a row in it. /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
Attachment:
_bin
Description:
Current thread:
- cgi to update a datable table Allan Wind (Oct 28)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- Re: cgi to update a datable table Allan Wind (Oct 29)
- Message not available
- Re: cgi to update a datable table Allan Wind (Oct 29)
- RE: cgi to update a datable table Blake Frantz (Oct 29)
- <Possible follow-ups>
- RE: cgi to update a datable table Shields, Larry (Oct 29)