 |  |
Re: Unsafe E-Mail Delete method
From: Mike Bacher
Date: Tuesday, December 31, 2002
Time: 6:28:34 pm
>You would have a problem of validating the user's login/password since the
>login/password exist within the customer table (not the services table).
I guess I'm still not following. I'm saying keep everything the way it is
now, except instead of passing a Record ID, pass the E-mail address as the
Record ID. The login/password validation could still occur, etc..
>So
>if someone knew what they were doing, they could arbitrarily
>delete/modify/change password, etc. any email as long as they knew the email
>address.
Not when you wrap the web interface in ASP/PHP like I'm doing and totally
eliminating any direct CDML/Web Companion/WSC exposure to the end user :-)
>Another issue is there are cases where the email may not be unique
>(like if an old canceled customer had the same email address).
Yea, that would be a problem. Is there no "Internal Service ID" type of
thing that is unique to each E-mail address, regardless of if the E-mail
address itself might be duplicated in the system? That would work too,
assuming it exists.. this temporary Record ID thing is really the problem,
since it is, temporary/dynamic..
--Mike
---------------------------------------------------
To subscribe, unsubscribe or to search list archive
please visit http://www.optigold.com/lists/isp.html
---------------------------------------------------
Messages In This Thread:
Return to Digital Point Solutions' Home Page
| home | |
| products | |
| services | |
| support | |
| email lists |
| optigold isp | |
| optigold isp news | |
| home inspection | |
| inspectrix | |
| java companion | |
| oracle | |
| quickdns pro | |
| search engine | |
| veterinary |
| tips | |
| employees | |
| free tools | |
| portfolio | |
| jobs | |
| contact |
888/4-DPOINTSupport:
858/452-3696