Protecting your application: Update my Account

Author: Günter Schenk, Added: 13.02.2008, Updated: 22.02.2008


Table Of Contents

Title Version
Introduction n/a
Doing it the wrong way n/a
Do it the right way n/a


print this page... 1. Introduction


One of the frequently asked questions posted in the Adobe Dreamweaver Developer Toolbox forums goes like this :: "my user registration system is nearly perfect, but how can I have my users edit their profile data ?"

This is basically easy, as all you´d need to create is a page containing an ADDT "Update Record Form", which references those "login" table columns you´d like your users to grant update access.

As this seems pretty trivial, you might wonder why I´m wasting my time writing a tutorial about this -- well, I will not walk you through the creation of an Update Record form, but I´ll tell you about something fundamental :: data security !

jump to page top...


print this page... 2. Doing it the wrong way


When planning this feature, the basic question is :: how can I make sure that the "update_my_account.php" page detects the "login" table´s Primary Key, so it knows what account it´s supposed to update ?

Some of you might think it´s OK to establish a link to this form and attach ADDT´s session variable "kt_login_id" as URL parameter, like displayed next:

not recommended: passing the kt_login_id session variable via a link



This will of course work, but this approach is a HUGE security hole :: the session variable´s numeric value will be revealed in the browser´s address bar:


...because everyone can change this value in the displayed URL


The problem with this is :: whatever is getting displayed here, can be easily modified -- means that changing the displayed value to e.g. "2" and reloading the form will enable your users to access and update the data of someone else:


...and reload the form using a different value


Improving your system´s security also means to safeguard the "update_my_account.php" form accordingly -- so rather than accepting the "Update Record Form" wizard´s default "Primary key equals: URL Parameter" suggestion...

bad practice in this context: accepting the Primary key as URL parameter

...we´re going to...

jump to page top...


print this page... 3. Do it the right way


As ADDT´s session variable "kt_login_id" will always be at our disposal, there´s no reason to pass it from one page to another -- that said, just have the Update Record Form Wizard´s "Primary Key equals" section match this Session Variable:

recommended practice: make the Primary key equal the session variable kt_login_id


As displayed next, the form´s URL will now no longer reveal any alterable information:


the browsers address bar will now no longer display any risky stuff


...and I´m sure you will agree that this is indeed one immense gain in security !

jump to page top...


Copyright Note:
This tutorial and all related material (files, images etc) are licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License
Contact:
info @ guenter-schenk.com