Re: Replace context problem ...

This WebDNA talk-list message is from

1997

It keeps the original formatting. numero = 12529
interpreted = N
texte = >It seems that you have run into the problem I had the other day regarding>$Delete. I wanted to have an 'Admin Delete' function to delete records>enter by someone else.Hi Glenn,I've run into problems with this situation several times over the past 6-9months, but mostly because I didn't really understand the hierarchy WebCatuses to check username and password values in this special situation -until now, that is.A long time ago, Grant created a special security feature for databasesthat have both a username and password field - because he wanted records inthose databases to be protected from random deletion by unauthorized userswho might decide to type in a $delete command into Netscape ... and therebytrash the database.Back then, PCS recommended creating databases with both username andpassword fields, because this would make it impossible for someone to use$replace or $delete to change or delete a record unless that person hadalso entered the proper username/password values for the record they weretrying to replace or delete.Of course, this was done before PCS added the CommandSecurity feature.Now that the CommandSecurity feature is available, that 'special casescenario' with the username and password fields doesn't seem so importantanymore ... and in fact it causes problems for the administrators of a sitethat has this situation.As the administrator of my web site I would like to be able to update ANYrecord in ANY database. This seems like a reasonable request, right?Okay, so in order to do that, first I have to type my own username/passwordinto the browser's authentication box in order to access the [protected]page for my admin replace template. So far, so good. I enter MY adminusername and password into the browser's authenticate box and I can thenaccess the replace form.But WebCat doesn't let me replace that data ... no matter how hard I try... because it insists on using the same username/password valuesI typed inearlier to compare them with the username/password values in the databaserecord I'm trying to replace ... and since MY username/password values aredifferent from this particular database record's username/password values,WebCat2 refuses to replace the data I want it to replace.I *thought* that by putting &username=[user]&password=[pass] into thereplace context, that would tell WebCat2 to use THOSE values instead of thevalues already cached in the browser. But it doesn't work that way.Instead, WebCat2 ignore whatever values I tell it to use, and instead, ituses the username/password values in the browser's cache - every time. Inthis situation, there's apparently no way I can get WebCat2 to use thevalues I want it to use - it's always going to use the values cached in thebrowser - no matter what.Of course, I don't have to name the fields in my database 'username' and'password'. The users.db that comes with WebCat2 names those fields 'user'and 'pass' instead ... probably to avoid this problem altogether.If there's no longer a security risk by keeping the field names 'username'and 'password' out of my databases, that's what I'll do ... :)>Perhaps changing to:>>[replace>db=xxx.db&SKUdata=[SKU]&username=[username]&password=[password]]fieldValuesHere>[>/replace]>>would make the differance.Yeah, I spent about three hours on this the other day, and I triedeverything - including this. But it doesn't make any difference what youdo. As long as you have previously entered a username and password into thebrowser's authenticate box, you're not going to be able to change any ofthe data in a database that has fields named username and password ...except for records that actually have the same username and passwordvalues, of course.I was asking Grant if it would make sense to make WebCat2 use theusername/password values I'm trying to get it to use - before trying to usethe browser's username/password values. I don't know how the WebCat2 codeis written, though, so I don't know if this even possible.Maybe it's just more practical to change my field names in my databases tosomething other than 'username' and 'password', and then this won't happenanymore. As long as the security risks are dealt with properly in otherways, this may very well be the way to go from now on ...Sincerely, Ken GromeWebDNA Solutionshttp://www.hui.net/dna/webdna.html Associated Messages, from the most recent to the oldest:

Re: Replace context problem ... (Glenn Davis 1997)
Re: Replace context problem ... (Kenneth Grome 1997)
Re: Replace context problem ... (Glenn Davis 1997)
Replace context problem ... and answers (Kenneth Grome 1997)
Replace context problem ... (Kenneth Grome 1997)

>It seems that you have run into the problem I had the other day regarding>$Delete. I wanted to have an 'Admin Delete' function to delete records>enter by someone else.Hi Glenn,I've run into problems with this situation several times over the past 6-9months, but mostly because I didn't really understand the hierarchy WebCatuses to check username and password values in this special situation -until now, that is.A long time ago, Grant created a special security feature for databasesthat have both a username and password field - because he wanted records inthose databases to be protected from random deletion by unauthorized userswho might decide to type in a $delete command into Netscape ... and therebytrash the database.Back then, PCS recommended creating databases with both username andpassword fields, because this would make it impossible for someone to use$replace or $delete to change or delete a record unless that person hadalso entered the proper username/password values for the record they weretrying to replace or delete.Of course, this was done before PCS added the CommandSecurity feature.Now that the CommandSecurity feature is available, that 'special casescenario' with the username and password fields doesn't seem so importantanymore ... and in fact it causes problems for the administrators of a sitethat has this situation.As the administrator of my web site I would like to be able to update ANYrecord in ANY database. This seems like a reasonable request, right?Okay, so in order to do that, first I have to type my own username/passwordinto the browser's authentication box in order to access the [protected]page for my admin replace template. So far, so good. I enter MY adminusername and password into the browser's authenticate box and I can thenaccess the replace form.But WebCat doesn't let me replace that data ... no matter how hard I try... because it insists on using the same username/password valuesI typed inearlier to compare them with the username/password values in the databaserecord I'm trying to replace ... and since MY username/password values aredifferent from this particular database record's username/password values,WebCat2 refuses to replace the data I want it to replace.I *thought* that by putting &username=[user]&password=[pass] into thereplace context, that would tell WebCat2 to use THOSE values instead of thevalues already cached in the browser. But it doesn't work that way.Instead, WebCat2 ignore whatever values I tell it to use, and instead, ituses the username/password values in the browser's cache - every time. Inthis situation, there's apparently no way I can get WebCat2 to use thevalues I want it to use - it's always going to use the values cached in thebrowser - no matter what.Of course, I don't have to name the fields in my database 'username' and'password'. The users.db that comes with WebCat2 names those fields 'user'and 'pass' instead ... probably to avoid this problem altogether.If there's no longer a security risk by keeping the field names 'username'and 'password' out of my databases, that's what I'll do ... :)>Perhaps changing to:>>[replace>db=xxx.db&SKUdata=[SKU]&username=[username]&password=[password]]fieldValuesHere>[>/replace]>>would make the differance.Yeah, I spent about three hours on this the other day, and I triedeverything - including this. But it doesn't make any difference what youdo. As long as you have previously entered a username and password into thebrowser's authenticate box, you're not going to be able to change any ofthe data in a database that has fields named username and password ...except for records that actually have the same username and passwordvalues, of course.I was asking Grant if it would make sense to make WebCat2 use theusername/password values I'm trying to get it to use - before trying to usethe browser's username/password values. I don't know how the WebCat2 codeis written, though, so I don't know if this even possible.Maybe it's just more practical to change my field names in my databases tosomething other than 'username' and 'password', and then this won't happenanymore. As long as the security risks are dealt with properly in otherways, this may very well be the way to go from now on ...Sincerely, Ken GromeWebDNA Solutionshttp://www.hui.net/dna/webdna.html Kenneth Grome

DOWNLOAD WEBDNA NOW!

Re: Replace context problem ...

1997

Top Articles:

Related Readings: