Re: Replace context problem ...
This WebDNA talk-list message is from 1997
It keeps the original formatting.
numero = 12529
interpreted = N
texte = >It seems that you have run into the problem I had the other day regarding>$Delete. I wanted to have an 'Admin Delete' function to delete records>enter by someone else.Hi Glenn,I've run into problems with this situation several times over the past 6-9months, but mostly because I didn't really understand the hierarchy WebCatuses to check username and password values in this special situation -until now, that is.A long time ago, Grant created a special security feature for databasesthat have both a username and password field - because he wanted records inthose databases to be protected from random deletion by unauthorized userswho might decide to type in a $delete command into Netscape ... and therebytrash the database.Back then, PCS recommended creating databases with both username andpassword fields, because this would make it impossible for someone to use$replace or $delete to change or delete a record unless that person hadalso entered the proper username/password values for the record they weretrying to replace or delete.Of course, this was done before PCS added the CommandSecurity feature.Now that the CommandSecurity feature is available, that 'special casescenario' with the username and password fields doesn't seem so importantanymore ... and in fact it causes problems for the administrators of a sitethat has this situation.As the administrator of my web site I would like to be able to update ANYrecord in ANY database. This seems like a reasonable request, right?Okay, so in order to do that, first I have to type my own username/passwordinto the browser's authentication box in order to access the [protected]page for my admin replace template. So far, so good. I enter MY adminusername and password into the browser's authenticate box and I can thenaccess the replace form.But WebCat doesn't let me replace that data ... no matter how hard I try... because it insists on using the same username/password valuesI typed inearlier to compare them with the username/password values in the databaserecord I'm trying to replace ... and since MY username/password values aredifferent from this particular database record's username/password values,WebCat2 refuses to replace the data I want it to replace.I *thought* that by putting &username=[user]&password=[pass] into thereplace context, that would tell WebCat2 to use THOSE values instead of thevalues already cached in the browser. But it doesn't work that way.Instead, WebCat2 ignore whatever values I tell it to use, and instead, ituses the username/password values in the browser's cache - every time. Inthis situation, there's apparently no way I can get WebCat2 to use thevalues I want it to use - it's always going to use the values cached in thebrowser - no matter what.Of course, I don't have to name the fields in my database 'username' and'password'. The users.db that comes with WebCat2 names those fields 'user'and 'pass' instead ... probably to avoid this problem altogether.If there's no longer a security risk by keeping the field names 'username'and 'password' out of my databases, that's what I'll do ... :)>Perhaps changing to:>>[replace>db=xxx.db&SKUdata=[SKU]&username=[username]&password=[password]]fieldValuesHere>[>/replace]>>would make the differance.Yeah, I spent about three hours on this the other day, and I triedeverything - including this. But it doesn't make any difference what youdo. As long as you have previously entered a username and password into thebrowser's authenticate box, you're not going to be able to change any ofthe data in a database that has fields named username and password ...except for records that actually have the same username and passwordvalues, of course.I was asking Grant if it would make sense to make WebCat2 use theusername/password values I'm trying to get it to use - before trying to usethe browser's username/password values. I don't know how the WebCat2 codeis written, though, so I don't know if this even possible.Maybe it's just more practical to change my field names in my databases tosomething other than 'username' and 'password', and then this won't happenanymore. As long as the security risks are dealt with properly in otherways, this may very well be the way to go from now on ...Sincerely, Ken GromeWebDNA Solutionshttp://www.hui.net/dna/webdna.html
Associated Messages, from the most recent to the oldest:
>It seems that you have run into the problem I had the other day regarding>$Delete. I wanted to have an 'Admin Delete' function to delete records>enter by someone else.Hi Glenn,I've run into problems with this situation several times over the past 6-9months, but mostly because I didn't really understand the hierarchy WebCatuses to check username and password values in this special situation -until now, that is.A long time ago, Grant created a special security feature for databasesthat have both a username and password field - because he wanted records inthose databases to be protected from random deletion by unauthorized userswho might decide to type in a $delete command into Netscape ... and therebytrash the database.Back then, PCS recommended creating databases with both username andpassword fields, because this would make it impossible for someone to use$replace or $delete to change or delete a record unless that person hadalso entered the proper username/password values for the record they weretrying to replace or delete.Of course, this was done before PCS added the CommandSecurity feature.Now that the CommandSecurity feature is available, that 'special casescenario' with the username and password fields doesn't seem so importantanymore ... and in fact it causes problems for the administrators of a sitethat has this situation.As the administrator of my web site I would like to be able to update ANYrecord in ANY database. This seems like a reasonable request, right?Okay, so in order to do that, first I have to type my own username/passwordinto the browser's authentication box in order to access the [protected]page for my admin replace template. So far, so good. I enter MY adminusername and password into the browser's authenticate box and I can thenaccess the replace form.But WebCat doesn't let me replace that data ... no matter how hard I try... because it insists on using the same username/password valuesI typed inearlier to compare them with the username/password values in the databaserecord I'm trying to replace ... and since MY username/password values aredifferent from this particular database record's username/password values,WebCat2 refuses to replace the data I want it to replace.I *thought* that by putting &username=[user]&password=[pass] into thereplace context, that would tell WebCat2 to use THOSE values instead of thevalues already cached in the browser. But it doesn't work that way.Instead, WebCat2 ignore whatever values I tell it to use, and instead, ituses the username/password values in the browser's cache - every time. Inthis situation, there's apparently no way I can get WebCat2 to use thevalues I want it to use - it's always going to use the values cached in thebrowser - no matter what.Of course, I don't have to name the fields in my database 'username' and'password'. The users.db that comes with WebCat2 names those fields 'user'and 'pass' instead ... probably to avoid this problem altogether.If there's no longer a security risk by keeping the field names 'username'and 'password' out of my databases, that's what I'll do ... :)>Perhaps changing to:>>[replace>db=xxx.db&SKUdata=[SKU]&username=
[username]&password=
[password]]fieldValuesHere>[>/replace]>>would make the differance.Yeah, I spent about three hours on this the other day, and I triedeverything - including this. But it doesn't make any difference what youdo. As long as you have previously entered a username and password into thebrowser's authenticate box, you're not going to be able to change any ofthe data in a database that has fields named username and password ...except for records that actually have the same username and passwordvalues, of course.I was asking Grant if it would make sense to make WebCat2 use theusername/password values I'm trying to get it to use - before trying to usethe browser's username/password values. I don't know how the WebCat2 codeis written, though, so I don't know if this even possible.Maybe it's just more practical to change my field names in my databases tosomething other than 'username' and 'password', and then this won't happenanymore. As long as the security risks are dealt with properly in otherways, this may very well be the way to go from now on ...Sincerely, Ken GromeWebDNA Solutionshttp://www.hui.net/dna/webdna.html
Kenneth Grome
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
WCS Newbie question (1997)
[Announce]: Web server security and password protection (1997)
READFILE command? (1998)
WCS Newbie question (1997)
decrypt and summ problems (1999)
Quit revisited (1997)
[template] tag (1998)
Using Plug-In while running 1.6.1 (1997)
checksum for credit cards? (1997)
Running a store on BOTH http and https (1998)
[WebDNA] Google map mashups (2010)
Two prices in shoppingcart? (1997)
tab as word delimiter (2000)
off topic - dna snipets (1997)
All of a Sudden Type 2 errors (1999)
Image Upload and Auto Resize? (2003)
Taxable Shipping (2003)
creator code (1997)
No. of items in shopping cart (2000)
Format all of a sudden doesn't work (1997)