[pmwiki-devel] DataQuery development (was: page text variables in edit form?)

Sat Nov 4 11:36:41 CST 2006

On Nov 4, 2006, at 11:31 AM, Ben Stallings wrote:

> Crisses wrote:
>> Allow the admin to make changes to some fields, or *maybe* assign  
>> the user a new password (which would require encryption before  
>> being saved to the database, however -- will that be able to be  
>> readily accounted for?).
>
> It certainly should be, but it hasn't been a priority for me yet.  
> Currently I'm trying to use ADOdb's excellent, elegant Replace()  
> function for writing records, because it means that I can just dump  
> the $page array directly into the function without further processing

I haven't seen what you're doing, so I'm not sure where $page is  
coming from.... but I'm sure you know all user-submitted info needs  
to be checked....

> , since it just ignores any field names that don't match.  (I  
> looked at Active Record as well, but Replace meets my needs  
> better.)  But to get the kind of data integrity I'm hoping for,  
> I'll need to check the incoming data either on the client side with  
> Javascript or on the server side prior to writing the data (or both).

People can either 1) turn off JS or 2) work around it.  You can't  
trust JS.  You can use both, but if you have to choose one, all data  
checks must be server-side.  Whether it works in a browser is one  
thing.  Most geeks I know turn it off to avoid advertising, for  
example -- I would too but I'm a web designer, so I actually need to  
see sites in their entirety...

Unscrupulous folks will read your JS, figure out where it's sending  
the data, and in what format, and be able to write a 3rd party script  
to submit info and see if there's any vulnerabilities in your programs.

> Javascript has the disadvantage of not working on every single  
> platform ever devised.  But it does work on 99.5% of them, and as  
> far as password-encrypting goes, it offers the appealing option of  
> encrypting the password *before* it gets transmitted, so that the  
> password is never sent as plain text.  Thoughts?

Nah -- I'm not worried about security for government institutions,  
etc.  I'm thinking plain-text transfer the password -- which is what  
it does now -- and it's encrypted on the server side (simple MD5 for  
example) and stored in a database.  It's more about keeping  
wikispambots out than major security.

So I would want a hook between form submission and data being sent to  
the database.  There will be many times I'd need a hook there anyway,  
to do other things.

>> P.S. I need to stop eating halloween candy over my keyboard ;)
>
> Was it Mac OS or Windows that used to have an accessibility feature  
> called StickyKeys?  :-)  --Ben

LOL

I think that's a cross-platform feature. ;)

Crisses