close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

delete a record securely

Thread began 6/03/2011 11:51 pm by dave315749 | Last modified 6/06/2011 9:57 am by Jason Byrnes | 1240 views | 9 replies |

dave315749

delete a record securely

hello, i am setting up comments on my site for articles

delete behavior grabs id from a hidden form field in comment to find ID to delete. problem is, you could also post to that page from outside and delete any record with any id that way.

Whats a better way to set up a way to securely set up a delete server behavior function?

Sign in to reply to this post

CraigRBeta Tester

What you do is control access to the delete page, so that only users with the appropriate rights can open the page.

Take a look at the security assist extension for more information.

securityassist/

Sign in to reply to this post

dave315749

there is no delete page

well still a small problem.

1. there is no delete page it is right on the article page, you can add a comment or delete it..
2. if i have access to the page by a membership level or group, it would still be able to be deleted by another member...

Sign in to reply to this post

CraigRBeta Tester

I would do this..

Have the delete button on the article page link to a delete page, (with the approprate security)
This also allows you to prompt the user with an 'are you sure you want to delete this'

and/or

Show / Hide the button on the article page, dependent on the login, so that if an admin is logged in , they can see the button, if a user (non admin) is logged in , they can't.

Sign in to reply to this post

dave315749

Ok,

I guess i could have a popup ask if they are sure..

Only problem is, i would probably still want to do a manual query of the user id plus the comment, to make sure it matched.. and then proceed with the code right?

I made a test page and posted to that page with the code on it and it deleted the from the database.. Is there a easy way to modify the code for the delete server behavior so that it has to match 2 or more items in the database ( instead of just 1 key column) before deleting a record?

How about submit page plus a button behavior?

Sign in to reply to this post

CraigRBeta Tester

The way I see it, if the user doesn't have the rights to access the delete option, there doesn't have to be any additional criteria for the delete server behavior.

I can't see a way to do this by accessing the Delete Record Server Behavior, though you may be able to hand code it.

I think you may need someone from Webassist to advise further

Sign in to reply to this post

dave315749

Heres what i did

Craig,

I think i got it working now.

1. post the form using the ID of the comment
2. record set lookup finding ID and also matching the session ID of user who is logged in
3. set delete record trigger to if recordset is NOT EMPTY.

This way, the only person that could actually delete a comment, would have to be the same user ID logged in as the one who made it, i dont think anyone could post to the page from an outside and be able to delete any records..

does that look good to you?

Sign in to reply to this post

CraigRBeta Tester

If you are know the id of the user logged in and it matches the id associated with the post, then the user should only be able to delete their own posts.

Same logic goes for editing too

Sign in to reply to this post

dave315749

Yes

Yes but, the user might have made posts on other pages too, so the user would have multiple posts in the database, and therefore with a simple post, someone could delete anyones comment... so thats why i need more than one key column in the delete function.. or just do it the way with a trigger..

Sign in to reply to this post

Jason ByrnesWebAssist

your articles table would need to have a column to associate the article to the user. when a new article is created, store the users ID value in that column.


then for the delete, create a recordset that would lookup the article ID and the Users ID, set the delete record behavior trigger to only happen if the lookup recordset is not empty.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...