[pmwiki-devel] DataQuery development (was: page text variables in edit form?)
Crisses
crisses at kinhost.org
Sat Nov 4 11:36:41 CST 2006
On Nov 4, 2006, at 11:31 AM, Ben Stallings wrote:
> Crisses wrote:
>> Allow the admin to make changes to some fields, or *maybe* assign
>> the user a new password (which would require encryption before
>> being saved to the database, however -- will that be able to be
>> readily accounted for?).
>
> It certainly should be, but it hasn't been a priority for me yet.
> Currently I'm trying to use ADOdb's excellent, elegant Replace()
> function for writing records, because it means that I can just dump
> the $page array directly into the function without further processing
I haven't seen what you're doing, so I'm not sure where $page is
coming from.... but I'm sure you know all user-submitted info needs
to be checked....
> , since it just ignores any field names that don't match. (I
> looked at Active Record as well, but Replace meets my needs
> better.) But to get the kind of data integrity I'm hoping for,
> I'll need to check the incoming data either on the client side with
> Javascript or on the server side prior to writing the data (or both).
People can either 1) turn off JS or 2) work around it. You can't
trust JS. You can use both, but if you have to choose one, all data
checks must be server-side. Whether it works in a browser is one
thing. Most geeks I know turn it off to avoid advertising, for
example -- I would too but I'm a web designer, so I actually need to
see sites in their entirety...
Unscrupulous folks will read your JS, figure out where it's sending
the data, and in what format, and be able to write a 3rd party script
to submit info and see if there's any vulnerabilities in your programs.
> Javascript has the disadvantage of not working on every single
> platform ever devised. But it does work on 99.5% of them, and as
> far as password-encrypting goes, it offers the appealing option of
> encrypting the password *before* it gets transmitted, so that the
> password is never sent as plain text. Thoughts?
Nah -- I'm not worried about security for government institutions,
etc. I'm thinking plain-text transfer the password -- which is what
it does now -- and it's encrypted on the server side (simple MD5 for
example) and stored in a database. It's more about keeping
wikispambots out than major security.
So I would want a hook between form submission and data being sent to
the database. There will be many times I'd need a hook there anyway,
to do other things.
>> P.S. I need to stop eating halloween candy over my keyboard ;)
>
> Was it Mac OS or Windows that used to have an accessibility feature
> called StickyKeys? :-) --Ben
LOL
I think that's a cross-platform feature. ;)
Crisses
More information about the pmwiki-devel
mailing list