NetTalk Central

Author Topic: please help security problems on form  (Read 4120 times)

olu

  • Sr. Member
  • ****
  • Posts: 352
    • View Profile
    • Email
please help security problems on form
« on: May 10, 2011, 08:21:04 PM »
i have a site that you can only get to the form if you are logged in which works ok but the problem is you are then able to see other peoples profile once you are logged in just by putting something like this in the browser
http://localhost:88/profile?reg:reg_no=22&change_btn=change

just by changing reg:reg_no=22 number to other number on the browser i can see everybody else profile pls how do i stop this they need to only see their own profile and nobody else please help! someone

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: please help security problems on form
« Reply #1 on: May 10, 2011, 10:11:31 PM »
Hallo,


I recommend you to stay in touch with the news and new updates of NetTalk 5.
Check the RSS for news.

Read this:
http://www.capesoft.com/docs/NetTalk5/NetTalkWebFAQ.htm#W4


Robert

olu

  • Sr. Member
  • ****
  • Posts: 352
    • View Profile
    • Email
Re: please help security problems on form
« Reply #2 on: May 10, 2011, 10:25:39 PM »
i do not have nettalk 5 still on nettalk4 this needs to be done on nettalk4

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: please help security problems on form
« Reply #3 on: May 10, 2011, 11:09:36 PM »
Hi Olu,

See here for details;
http://www.nettalkcentral.com/index.php?option=com_smf&Itemid=36&topic=2068.msg7834#new

Unfortunately the change is substantial - there's a lot of code under the hood which makes it work, and despite the rather simple explanation it's far from trivial to implement.

Security is a process, not a destination. One of the advantages of using the current version is that there are various security related things happening all the time.

In NT4 your best bet is to use non-sequential, and hard-to-guess row ID's. It's not as secure as NT5, because a user can still edit a record as long as they know the ID. However if you use a random string (say 16 chars long) as the ID it's not possible to guess other ID's.

cheers
Bruce


olu

  • Sr. Member
  • ****
  • Posts: 352
    • View Profile
    • Email
Re: please help security problems on form
« Reply #4 on: May 11, 2011, 12:23:31 AM »
Hi Bruce
there too many records already created and links attached it will take major rewrite to change it to that i have tied using the ONLY serve if in the form and use something like this
p_web.getsession('myid') = p_web.getsession('recordid')

do yu think there is still a way for users to get pass this?

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: please help security problems on form
« Reply #5 on: May 11, 2011, 04:37:22 AM »
>>do you think there is still a way for users to get pass this?
unfortunately yes.

Perhaps it's time to consider an update to NT5 ?

Cheers
Bruce