[ic] Controlling access to tables

Mike Heins mikeh@minivend.com
Mon, 16 Oct 2000 18:37:53 -0400


Quoting Marcus Weseloh (marcus@slightlydifferent.co.uk):
> > I have a table containing personal client information and want each 
> > client to be able to access just his own data. While that is not a 
> > problem, I fear that security is not very high as other users could guess 
> > the table name and (if they know minivend/interchange) display all the 
> > data in that table using commands in a URL.
> 
> Sorry, forget that. I just didn't think straight. I thought a one-click scan 
> of a table would just return the data, but of course it uses a result page 
> into which I can put conditionals. Next time I will think before posting to 
> the list.
> 

Actually, you are right to worry. Consider:

	[page scan
		st=db
		fi=userdb
		ra=yes
		rf=credit_card_number] Show CC [/page]

(Of course that is completely bogus, but you get the idea.)

You could get the data back in the [item-code], since rf allows
you to set the field returned as code.

In Interchange, though, you can set:

    NoSearch   userdb  your_private_table

(Default is userdb.)

At that point, you can't search those tables by URL. You can
override the setting for a certain page with

    [calc]$Config->{NoSearch} = ''[/calc]


-- 
Akopia, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <heins@akopia.com>

I have a cop friend who thinks he ought be able to give a new ticket;
"too dumb for conditions".