NeXTensio Forum :: Secure NeXTensio form
This thread was displayed: 171 times
Starting with 17th May 2007, Adobe Systems will stop offering support for any version of the discontinued InterAKT products. As a result, we will not answer to new support incidents starting with May 17th, 2007. Pending support incidents will still be followed in order to be closed. The product forums will remain open and be transformed in user-to-user forums. The general forums will be made read-only and not allow new posts or comments.
For more information about the affected products visit: www.interaktonline.com/Support/
Brian Lagunas
07-18-2006 04:35:01 GMT +2
|
I have a NeXTensio list that if filtered by the Session("kt_login_id") and this works great. And we all know when you click on a record to edit it uses a queryString to pass to the NeXTensio form. Well I need to prevent someone from being able to change the queryString and edit someone elses record.
Example: If I click on a record to edit I get the following queryString: "www.mysite.com/form.asp?Id=1", but someone can manually change that to "www.mysite.com/form.asp?Id=2" and get someone elses record then edit it as they wish. I need to prevent this.
Keep in mind that I am using the NeXTensio Form Wizard, so I cannot just create a recordset to check the userID and autoID are correct then use a "Show if recordset is not empty", because if you try to insert a new one the recordset will be empty and hence no form.
I find that this is one of the biggest problems with the NeXTensio forms. And in the future release recommend that security be a major concern.
Any solutions would be greatly appreciated.
|
|
|
Razvan Racasanu[InterAKT]  07-18-2006 12:16:45 GMT +2
|
Hello,
The solution to this is to create the recordset only when the form is in Update mode. For this, you can initialise a variable (let' call it okToEdit) to true. Then, you check if the form is in update mode (if the primary key is present in the query). If this is true, then you create the recordset and check if it returns records. If the recordset does not return any records, you then set the variable okToEdit to false.
Then, depending on the result of the variable okToEdit, you can either show the form or not, using a "Show If Conditional Region"
Regards,
Razvan RACASANU
|
|
|
Brian Lagunas
07-19-2006 00:05:11 GMT +2
|
I actualy found an easier way to do it. First I created a recordset that checked to make sure the records belonged to the user by filtering the request.querystring("Param_Name") and the session("kt_login_id"). Then I added the DW SB "show if recordset is not empty". Then I modified the "show if recordset" as follows:
<% If Not rsAutoCheck.EOF Or Not rsAutoCheck.BOF OR Request.QueryString("Param_Name") = "" Then %>
NeXTensio Form to show
<% End If %>
So by adding the (OR Request.QueryString("Param_Name") = ""), it allows for the queryString to be empty and allow the insert. So now a user cannot edit a record that does not belong to them by changing the queryString in the address bar, and the insert function will work also.
|
|
|
Chris Brown
09-11-2006 17:59:47 GMT +2
|
oh you ****ing star! :-)
If I were half the man I was, I would marry you ;-)
Seriously I have just been told to look at your post by one of the Interakt team, and it does exactly what it says on the tin! I had partially got this far, but my logic was just wrong, so thank you for saving a life - I had just spent over 14 hours trying to get a NXt form secured down without fault but while ALSO allowing inserts, and this does it perfectly :-) So thanks so much again :-)
Note to Interakt: I don't think people should have to write a workaround like this which is bascially a fudge fix! Your software is AMAZING, but this is the only bit that I have found lacking (the ability to control the NXT recordset to some degree). So in the next version, PLEASE PLEASE PLEASE allow people to be able to specify what variables the NXT recordset should work/filter on. Other than that, your software rocks :-)
|
|
|
