Security chack please

P

Paul M

Hi
Can you please tell me of any security issues with this change details
method
Login "testing" password "testing"
http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp

The login is a basic select query created by the DRW which produces a form
as its results which passes its data to an update asp.The update asp is the
one that the DIW uses,I have simply removed the login asa inc file
I am conserned about the hidden ID field which is near the bottom of the
form on
http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
You will need to login to create the form Username "testing" password
"testing"
Thankyou
Paul M
 
T

Thomas A. Rowe

The only I see, is what if I don't want to change my login info, but I am being force to type
something anyway.

Also once I have logged in, I shouldn't need to log in anywhere else on the site during my current
session.

Suggestion: Links and heading font colors should not be the same.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Thanks Thomas
That's something to work on next but for now I need to know if the form
which appears when you retrieve you information is safe. I am not sure
about hidden fields and such being a security issue
If they are is there a way of totally hiding them from the page when you
view the source
Paul M
 
T

Thomas A. Rowe

Since the form is protected, hidden fields can only be modified by a logged in user, and you would
know who the user is.

Hidden form field will always appear in the page source. The solution is use sessions variable to
store the hidden info.
--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Thanks Thomas
But if someone registers to receive login info could they then use malicious
code to sql inject
Paul M
 
T

Thomas A. Rowe

You would have to test all form fields in the same manner as you do querystrings. You also need to
consider the value of the data you are storing, and never store more then what is absolutely needed.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
S

Stefan B Rusynko

Re the hidden field
There is no valid reason for exposing the record ID in the form as a hidden field when you can pass it as a session variable (from
the login page)

But since any one can register (and while they are at it also create a duplicate userID & password) it means you have no control
over what record they may be editing (other than the 1st record that happens to match)
- if you check your DB you will probably find 2 users w/ the username & password of "testing", since I was allowed to create a
second user w/o any errors

The point that Thomas & I have been making is you can only go so far w/ the DBRW and DIW
- and IMHO for what you are trying to do you will need to learn to write not only safe code but code that does not break database
integrity (and that can't be done w/ just the wizards)




| Thanks Thomas
| That's something to work on next but for now I need to know if the form
| which appears when you retrieve you information is safe. I am not sure
| about hidden fields and such being a security issue
| If they are is there a way of totally hiding them from the page when you
| view the source
| Paul M
| | > The only I see, is what if I don't want to change my login info, but I am
| > being force to type something anyway.
| >
| > Also once I have logged in, I shouldn't need to log in anywhere else on
| > the site during my current session.
| >
| > Suggestion: Links and heading font colors should not be the same.
| >
| > --
| > ==============================================
| > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > ==============================================
| > If you feel your current issue is a results of installing
| > a Service Pack or security update, please contact
| > Microsoft Product Support Services:
| > http://support.microsoft.com
| > If the problem can be shown to have been caused by a
| > security update, then there is usually no charge for the call.
| > ==============================================
| >
| > | >> Hi
| >> Can you please tell me of any security issues with this change details
| >> method
| >> Login "testing" password "testing"
| >> http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| >>
| >> The login is a basic select query created by the DRW which produces a
| >> form as its results which passes its data to an update asp.The update asp
| >> is the one that the DIW uses,I have simply removed the login asa inc file
| >> I am conserned about the hidden ID field which is near the bottom of the
| >> form on
| >> http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
| >> You will need to login to create the form Username "testing" password
| >> "testing"
| >> Thankyou
| >> Paul M
| >>
| >>
| >
| >
|
|
 
P

Paul M

Thanks
The info stored is not valuable I just don't want online one day to find
that someone has deleted my database entries
Paul M
 
P

Paul M

Thanks Stefan
How can I pass the ID as a session variable
Did you create the duplicate with some Sql injection
Paul M
 
S

Stefan B Rusynko

1) See http://www.w3schools.com/asp/asp_sessions.asp
2) No injection needed, just used your form (since you don't server side validate anything)

Why bother to have a login in at all if anyone can create an identify and the info you are showing is not managed in some way

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.net-sites.com/sitebuilder/newsgroups.asp
_____________________________________________


| Thanks Stefan
| How can I pass the ID as a session variable
| Did you create the duplicate with some Sql injection
| Paul M
| | > Re the hidden field
| > There is no valid reason for exposing the record ID in the form as a
| > hidden field when you can pass it as a session variable (from
| > the login page)
| >
| > But since any one can register (and while they are at it also create a
| > duplicate userID & password) it means you have no control
| > over what record they may be editing (other than the 1st record that
| > happens to match)
| > - if you check your DB you will probably find 2 users w/ the username &
| > password of "testing", since I was allowed to create a
| > second user w/o any errors
| >
| > The point that Thomas & I have been making is you can only go so far w/
| > the DBRW and DIW
| > - and IMHO for what you are trying to do you will need to learn to write
| > not only safe code but code that does not break database
| > integrity (and that can't be done w/ just the wizards)
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Thomas
| > | That's something to work on next but for now I need to know if the form
| > | which appears when you retrieve you information is safe. I am not sure
| > | about hidden fields and such being a security issue
| > | If they are is there a way of totally hiding them from the page when you
| > | view the source
| > | Paul M
| > | | > | > The only I see, is what if I don't want to change my login info, but I
| > am
| > | > being force to type something anyway.
| > | >
| > | > Also once I have logged in, I shouldn't need to log in anywhere else
| > on
| > | > the site during my current session.
| > | >
| > | > Suggestion: Links and heading font colors should not be the same.
| > | >
| > | > --
| > | > ==============================================
| > | > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > ==============================================
| > | > If you feel your current issue is a results of installing
| > | > a Service Pack or security update, please contact
| > | > Microsoft Product Support Services:
| > | > http://support.microsoft.com
| > | > If the problem can be shown to have been caused by a
| > | > security update, then there is usually no charge for the call.
| > | > ==============================================
| > | >
| > | > | > | >> Hi
| > | >> Can you please tell me of any security issues with this change
| > details
| > | >> method
| > | >> Login "testing" password "testing"
| > | >>
| > http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > | >>
| > | >> The login is a basic select query created by the DRW which produces a
| > | >> form as its results which passes its data to an update asp.The update
| > asp
| > | >> is the one that the DIW uses,I have simply removed the login asa inc
| > file
| > | >> I am conserned about the hidden ID field which is near the bottom of
| > the
| > | >> form on
| > | >> http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
| > | >> You will need to login to create the form Username "testing" password
| > | >> "testing"
| > | >> Thankyou
| > | >> Paul M
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 
P

Paul M

Thanks Stefan
I will set the database fields to no duplicates. when you say the form, its
the normal registration form at databasesearch_reg.asp?
Thanks again
Stefan B Rusynko said:
1) See http://www.w3schools.com/asp/asp_sessions.asp
2) No injection needed, just used your form (since you don't server side
validate anything)

Why bother to have a login in at all if anyone can create an identify and
the info you are showing is not managed in some way

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.net-sites.com/sitebuilder/newsgroups.asp
_____________________________________________


| Thanks Stefan
| How can I pass the ID as a session variable
| Did you create the duplicate with some Sql injection
| Paul M
| | > Re the hidden field
| > There is no valid reason for exposing the record ID in the form as a
| > hidden field when you can pass it as a session variable (from
| > the login page)
| >
| > But since any one can register (and while they are at it also create a
| > duplicate userID & password) it means you have no control
| > over what record they may be editing (other than the 1st record that
| > happens to match)
| > - if you check your DB you will probably find 2 users w/ the username
&
| > password of "testing", since I was allowed to create a
| > second user w/o any errors
| >
| > The point that Thomas & I have been making is you can only go so far
w/
| > the DBRW and DIW
| > - and IMHO for what you are trying to do you will need to learn to
write
| > not only safe code but code that does not break database
| > integrity (and that can't be done w/ just the wizards)
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Thomas
| > | That's something to work on next but for now I need to know if the
form
| > | which appears when you retrieve you information is safe. I am not
sure
| > | about hidden fields and such being a security issue
| > | If they are is there a way of totally hiding them from the page when
you
| > | view the source
| > | Paul M
| > | | > | > The only I see, is what if I don't want to change my login info,
but I
| > am
| > | > being force to type something anyway.
| > | >
| > | > Also once I have logged in, I shouldn't need to log in anywhere
else
| > on
| > | > the site during my current session.
| > | >
| > | > Suggestion: Links and heading font colors should not be the same.
| > | >
| > | > --
| > | > ==============================================
| > | > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > ==============================================
| > | > If you feel your current issue is a results of installing
| > | > a Service Pack or security update, please contact
| > | > Microsoft Product Support Services:
| > | > http://support.microsoft.com
| > | > If the problem can be shown to have been caused by a
| > | > security update, then there is usually no charge for the call.
| > | > ==============================================
| > | >
| > | > | > | >> Hi
| > | >> Can you please tell me of any security issues with this change
| > details
| > | >> method
| > | >> Login "testing" password "testing"
| > | >>
| >
http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > | >>
| > | >> The login is a basic select query created by the DRW which
produces a
| > | >> form as its results which passes its data to an update asp.The
update
| > asp
| > | >> is the one that the DIW uses,I have simply removed the login asa
inc
| > file
| > | >> I am conserned about the hidden ID field which is near the
bottom of
| > the
| > | >> form on
| > | >>
http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
| > | >> You will need to login to create the form Username "testing"
password
| > | >> "testing"
| > | >> Thankyou
| > | >> Paul M
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Click to expand...
 
S

Stefan B Rusynko

Yes the form at http://www.ingenious-group.com/databasesearch_reg.asp
Setting the DB to allow only unique fields will stop duplicates, but will also generate user errors in ASP
- you should actually be preventing the errors by checking for the dupes in ASP before you attempt to write to the DB




| Thanks Stefan
| I will set the database fields to no duplicates. when you say the form, its
| the normal registration form at databasesearch_reg.asp?
| Thanks again
| | > 1) See http://www.w3schools.com/asp/asp_sessions.asp
| > 2) No injection needed, just used your form (since you don't server side
| > validate anything)
| >
| > Why bother to have a login in at all if anyone can create an identify and
| > the info you are showing is not managed in some way
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | How can I pass the ID as a session variable
| > | Did you create the duplicate with some Sql injection
| > | Paul M
| > | | > | > Re the hidden field
| > | > There is no valid reason for exposing the record ID in the form as a
| > | > hidden field when you can pass it as a session variable (from
| > | > the login page)
| > | >
| > | > But since any one can register (and while they are at it also create a
| > | > duplicate userID & password) it means you have no control
| > | > over what record they may be editing (other than the 1st record that
| > | > happens to match)
| > | > - if you check your DB you will probably find 2 users w/ the username
| > &
| > | > password of "testing", since I was allowed to create a
| > | > second user w/o any errors
| > | >
| > | > The point that Thomas & I have been making is you can only go so far
| > w/
| > | > the DBRW and DIW
| > | > - and IMHO for what you are trying to do you will need to learn to
| > write
| > | > not only safe code but code that does not break database
| > | > integrity (and that can't be done w/ just the wizards)
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Thanks Thomas
| > | > | That's something to work on next but for now I need to know if the
| > form
| > | > | which appears when you retrieve you information is safe. I am not
| > sure
| > | > | about hidden fields and such being a security issue
| > | > | If they are is there a way of totally hiding them from the page when
| > you
| > | > | view the source
| > | > | Paul M
| > | > | | > | > | > The only I see, is what if I don't want to change my login info,
| > but I
| > | > am
| > | > | > being force to type something anyway.
| > | > | >
| > | > | > Also once I have logged in, I shouldn't need to log in anywhere
| > else
| > | > on
| > | > | > the site during my current session.
| > | > | >
| > | > | > Suggestion: Links and heading font colors should not be the same.
| > | > | >
| > | > | > --
| > | > | > ==============================================
| > | > | > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | > ==============================================
| > | > | > If you feel your current issue is a results of installing
| > | > | > a Service Pack or security update, please contact
| > | > | > Microsoft Product Support Services:
| > | > | > http://support.microsoft.com
| > | > | > If the problem can be shown to have been caused by a
| > | > | > security update, then there is usually no charge for the call.
| > | > | > ==============================================
| > | > | >
| > | > | > | > | > | >> Hi
| > | > | >> Can you please tell me of any security issues with this change
| > | > details
| > | > | >> method
| > | > | >> Login "testing" password "testing"
| > | > | >>
| > | >
| > http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > | > | >>
| > | > | >> The login is a basic select query created by the DRW which
| > produces a
| > | > | >> form as its results which passes its data to an update asp.The
| > update
| > | > asp
| > | > | >> is the one that the DIW uses,I have simply removed the login asa
| > inc
| > | > file
| > | > | >> I am conserned about the hidden ID field which is near the
| > bottom of
| > | > the
| > | > | >> form on
| > | > | >>
| > http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
| > | > | >> You will need to login to create the form Username "testing"
| > password
| > | > | >> "testing"
| > | > | >> Thankyou
| > | > | >> Paul M
| > | > | >>
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 
P

Paul M

Thanks Stefan
This is all getting a bit advanced.
is there an easy way to do it?
best wishes
Paul M
Stefan B Rusynko said:
Yes the form at http://www.ingenious-group.com/databasesearch_reg.asp
Setting the DB to allow only unique fields will stop duplicates, but will
also generate user errors in ASP
- you should actually be preventing the errors by checking for the dupes
in ASP before you attempt to write to the DB




| Thanks Stefan
| I will set the database fields to no duplicates. when you say the form,
its
| the normal registration form at databasesearch_reg.asp?
| Thanks again
| | > 1) See http://www.w3schools.com/asp/asp_sessions.asp
| > 2) No injection needed, just used your form (since you don't server
side
| > validate anything)
| >
| > Why bother to have a login in at all if anyone can create an identify
and
| > the info you are showing is not managed in some way
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | How can I pass the ID as a session variable
| > | Did you create the duplicate with some Sql injection
| > | Paul M
| > | | > | > Re the hidden field
| > | > There is no valid reason for exposing the record ID in the form as
a
| > | > hidden field when you can pass it as a session variable (from
| > | > the login page)
| > | >
| > | > But since any one can register (and while they are at it also
create a
| > | > duplicate userID & password) it means you have no control
| > | > over what record they may be editing (other than the 1st record
that
| > | > happens to match)
| > | > - if you check your DB you will probably find 2 users w/ the
username
| > &
| > | > password of "testing", since I was allowed to create a
| > | > second user w/o any errors
| > | >
| > | > The point that Thomas & I have been making is you can only go so
far
| > w/
| > | > the DBRW and DIW
| > | > - and IMHO for what you are trying to do you will need to learn to
| > write
| > | > not only safe code but code that does not break database
| > | > integrity (and that can't be done w/ just the wizards)
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Thanks Thomas
| > | > | That's something to work on next but for now I need to know if
the
| > form
| > | > | which appears when you retrieve you information is safe. I am
not
| > sure
| > | > | about hidden fields and such being a security issue
| > | > | If they are is there a way of totally hiding them from the page
when
| > you
| > | > | view the source
| > | > | Paul M
| > | > | | > | > | > The only I see, is what if I don't want to change my login
info,
| > but I
| > | > am
| > | > | > being force to type something anyway.
| > | > | >
| > | > | > Also once I have logged in, I shouldn't need to log in
anywhere
| > else
| > | > on
| > | > | > the site during my current session.
| > | > | >
| > | > | > Suggestion: Links and heading font colors should not be the
same.
| > | > | >
| > | > | > --
| > | > | > ==============================================
| > | > | > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | > ==============================================
| > | > | > If you feel your current issue is a results of installing
| > | > | > a Service Pack or security update, please contact
| > | > | > Microsoft Product Support Services:
| > | > | > http://support.microsoft.com
| > | > | > If the problem can be shown to have been caused by a
| > | > | > security update, then there is usually no charge for the call.
| > | > | > ==============================================
| > | > | >
| > | > | > | > | > | >> Hi
| > | > | >> Can you please tell me of any security issues with this
change
| > | > details
| > | > | >> method
| > | > | >> Login "testing" password "testing"
| > | > | >>
| > | >
| >
http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > | > | >>
| > | > | >> The login is a basic select query created by the DRW which
| > produces a
| > | > | >> form as its results which passes its data to an update
asp.The
| > update
| > | > asp
| > | > | >> is the one that the DIW uses,I have simply removed the login
asa
| > inc
| > | > file
| > | > | >> I am conserned about the hidden ID field which is near the
| > bottom of
| > | > the
| > | > | >> form on
| > | > | >>
| > http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
| > | > | >> You will need to login to create the form Username "testing"
| > password
| > | > | >> "testing"
| > | > | >> Thankyou
| > | > | >> Paul M
| > | > | >>
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Click to expand...
 
S

Stefan B Rusynko

Can not be done with wizards
- as you point out it requires more ASP coding
- but is essentially no different than your log in coding

When they try to add a new user name thru a form
- Before you write to DB
- You check for a record found in the DB (using the EOF for not found)
- If it is not found you know it is not a dupe and can then write it to the DB
- If it is found then it is a dupe you send them back to the form w/ an error message to tell them it is a dupe

In the simplest way you would:

Open your DB connection same as login based on just the new username from the form, then check for the record not existing

If objRS.EOF Then
objRS.Close
Set objRS = Nothing
'Not a dupe - insert your DB update here
strMsg = "<p>Your account has been created</p>"
Else
objRS.Close
Set objRS = Nothing
'Is a dupe - redirect them w/ the error message as a parameter for the form page
'or just inform them
strMsg = "<p>User Name already exists, your account was not created</p>"
strMsg = strMsg & "<p>Use your back key to try another one</p>"
End If
Response.Write strMsg




| Thanks Stefan
| This is all getting a bit advanced.
| is there an easy way to do it?
| best wishes
| Paul M
| | > Yes the form at http://www.ingenious-group.com/databasesearch_reg.asp
| > Setting the DB to allow only unique fields will stop duplicates, but will
| > also generate user errors in ASP
| > - you should actually be preventing the errors by checking for the dupes
| > in ASP before you attempt to write to the DB
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | I will set the database fields to no duplicates. when you say the form,
| > its
| > | the normal registration form at databasesearch_reg.asp?
| > | Thanks again
| > | | > | > 1) See http://www.w3schools.com/asp/asp_sessions.asp
| > | > 2) No injection needed, just used your form (since you don't server
| > side
| > | > validate anything)
| > | >
| > | > Why bother to have a login in at all if anyone can create an identify
| > and
| > | > the info you are showing is not managed in some way
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Thanks Stefan
| > | > | How can I pass the ID as a session variable
| > | > | Did you create the duplicate with some Sql injection
| > | > | Paul M
| > | > | | > | > | > Re the hidden field
| > | > | > There is no valid reason for exposing the record ID in the form as
| > a
| > | > | > hidden field when you can pass it as a session variable (from
| > | > | > the login page)
| > | > | >
| > | > | > But since any one can register (and while they are at it also
| > create a
| > | > | > duplicate userID & password) it means you have no control
| > | > | > over what record they may be editing (other than the 1st record
| > that
| > | > | > happens to match)
| > | > | > - if you check your DB you will probably find 2 users w/ the
| > username
| > | > &
| > | > | > password of "testing", since I was allowed to create a
| > | > | > second user w/o any errors
| > | > | >
| > | > | > The point that Thomas & I have been making is you can only go so
| > far
| > | > w/
| > | > | > the DBRW and DIW
| > | > | > - and IMHO for what you are trying to do you will need to learn to
| > | > write
| > | > | > not only safe code but code that does not break database
| > | > | > integrity (and that can't be done w/ just the wizards)
| > | > | >
| > | > | > --
| > | > | >
| > | > | > _____________________________________________
| > | > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > | > To find the best Newsgroup for FrontPage support see:
| > | > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > | > _____________________________________________
| > | > | >
| > | > | >
| > | > | > | > | > | > | Thanks Thomas
| > | > | > | That's something to work on next but for now I need to know if
| > the
| > | > form
| > | > | > | which appears when you retrieve you information is safe. I am
| > not
| > | > sure
| > | > | > | about hidden fields and such being a security issue
| > | > | > | If they are is there a way of totally hiding them from the page
| > when
| > | > you
| > | > | > | view the source
| > | > | > | Paul M
| > | > | > | | > | > | > | > The only I see, is what if I don't want to change my login
| > info,
| > | > but I
| > | > | > am
| > | > | > | > being force to type something anyway.
| > | > | > | >
| > | > | > | > Also once I have logged in, I shouldn't need to log in
| > anywhere
| > | > else
| > | > | > on
| > | > | > | > the site during my current session.
| > | > | > | >
| > | > | > | > Suggestion: Links and heading font colors should not be the
| > same.
| > | > | > | >
| > | > | > | > --
| > | > | > | > ==============================================
| > | > | > | > Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | > | > ==============================================
| > | > | > | > If you feel your current issue is a results of installing
| > | > | > | > a Service Pack or security update, please contact
| > | > | > | > Microsoft Product Support Services:
| > | > | > | > http://support.microsoft.com
| > | > | > | > If the problem can be shown to have been caused by a
| > | > | > | > security update, then there is usually no charge for the call.
| > | > | > | > ==============================================
| > | > | > | >
| > | > | > | > | > | > | > | >> Hi
| > | > | > | >> Can you please tell me of any security issues with this
| > change
| > | > | > details
| > | > | > | >> method
| > | > | > | >> Login "testing" password "testing"
| > | > | > | >>
| > | > | >
| > | >
| > http://www.ingenious-group.com/user_database_reg_/changedetailslogin1.asp
| > | > | > | >>
| > | > | > | >> The login is a basic select query created by the DRW which
| > | > produces a
| > | > | > | >> form as its results which passes its data to an update
| > asp.The
| > | > update
| > | > | > asp
| > | > | > | >> is the one that the DIW uses,I have simply removed the login
| > asa
| > | > inc
| > | > | > file
| > | > | > | >> I am conserned about the hidden ID field which is near the
| > | > bottom of
| > | > | > the
| > | > | > | >> form on
| > | > | > | >>
| > | > http://www.ingenious-group.com/user_database_reg_/changedetails1.asp
| > | > | > | >> You will need to login to create the form Username "testing"
| > | > password
| > | > | > | >> "testing"
| > | > | > | >> Thankyou
| > | > | > | >> Paul M
| > | > | > | >>
| > | > | > | >>
| > | > | > | >
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security help please 7
Session Timeout ASP 11
Help with tracking user without enforcing security 4
form submit to SQL Server w/Database wizard 7
Need Help With Security 3
Adding Permissions to custom security setup 3
MicroSoft Access Data Connection Security 2
editing database with frontpage 1

Top