SELECT U_ID, U_FirstName, U_LastName, U_Email, U_OfficePhone, U_Division, U_HomePhone, U_HomeCity, U_HomeState, U_HomeZip FROM tbl_Users GROUP BY U_Division, U_ID, U_FirstName, U_LastName, U_Email, U_OfficePhone, U_HomePhone, U_HomeCity, U_HomeState, U_HomeZip ORDER BY U_LastName

Browse Employees

[allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => [ref] => [htmlstate] => on_nl2br [postusername] => ccsimmons [ip] => webforumsuser@m [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 1 [islastshown] => [isfirstshown] => 1 [attachments] => [allattachments] => ) --> Put me out of my misery - Coldfusion - Advanced Techniques

Put me out of my misery - Coldfusion - Advanced Techniques

I have looked far and wide for this and maybe I am just missing something. I am using cftree to show a list of employess with various information about them. I want to be able to click the user name in the tree an have that submit a form to the page that allows editing of the user. I want to be able to pass the id via the form and not in the querystring because not everyone is authorized to edit each user. <!--- Query the datasource to get employee information. ---> <!--- Group the output by Division. (All ...

  1. #1

    Default Put me out of my misery

    I have looked far and wide for this and maybe I am just missing something. I
    am using cftree to show a list of employess with various information about
    them. I want to be able to click the user name in the tree an have that submit
    a form to the page that allows editing of the user. I want to be able to pass
    the id via the form and not in the querystring because not everyone is
    authorized to edit each user.



    <!--- Query the datasource to get employee information. --->
    <!--- Group the output by Division.
    (All fields are required in Group By clause.) --->
    <cfquery name="GetEmployees" datasource="#dsnName#" username="#dBUser#"
    password="#dBPassword#">
    SELECT U_ID, U_FirstName, U_LastName, U_Email, U_OfficePhone, U_Division,
    U_HomePhone, U_HomeCity, U_HomeState, U_HomeZip
    FROM tbl_Users
    GROUP BY U_Division, U_ID, U_FirstName, U_LastName, U_Email, U_OfficePhone,
    U_HomePhone, U_HomeCity, U_HomeState, U_HomeZip
    ORDER BY U_LastName
    </cfquery>

    <h3>Browse Employees</h3>

    <!--- Display the tree. The cftree tag must be in a cfform. --->
    <cfform action="HR_U_Edit.cfm" preservedata="Yes" format="flash" method="post"
    height="600">
    <cftree name="Employees" height="300" width="300"
    font = "Arial Narrow" italic="yes" highlighthref="No" HScroll="no"
    VScroll="no"
    completepath="no" lookandfeel="windows" border="No" required="yes"
    appendkey="no">
    <!--- cfoutput tag with a group attribute loops over the Division. --->
    <cfoutput group="U_Division" query = "GetEmployees">
    <cftreeitem value="#U_Division#" parent="Employees" expand="no">
    <!--- This cfoutput tag loops over the records for the Division.
    The cfoutput tag does not need any attributes. --->
    <cfoutput>
    <!--- Create an item for each employee in the Division.
    Do not expand children. Each employee name links to this page,
    and sends the employee ID in the query string.--->
    <cftreeitem value = "#U_LastName#, #U_FirstName#"
    parent = "#U_Division#" expand="false" img="cd"
    href="HR_U_Edit.cfm">
    <!--- Each node must be unique value, so use U_ID on value. --->
    <cftreeitem value = "#U_ID#_OfficeInfo" img="computer"
    display = "Office Information"
    parent = "#U_LastName#, #U_FirstName#" expand = "false">
    <!--- ContacInfo has two children --->
    <cftreeitem value = "#U_OfficePhone#" parent = "#U_ID#_OfficeInfo">
    <cftreeitem value = "#U_Email#" parent = "#U_ID#_OfficeInfo">
    <!--- Each node must be unique value, so use U_ID om value. --->
    <cftreeitem value = "#U_ID#_HomeInfo" img="computer"
    display = "Home Information"
    parent = "#U_LastName#, #U_FirstName#" expand = "false">
    <!--- ContacInfo has two children --->
    <cftreeitem value = "Phone: #U_HomePhone#" parent =
    "#U_ID#_HomeInfo">
    <cftreeitem value = "City, State Zip: #U_HomeCity#, #U_HomeState#
    #U_HomeZip#" parent = "#U_ID#_HomeInfo">

    </cfoutput>
    </cfoutput>
    </cftree>
    <cfinput type="Submit" name="Submit" value="Submit">
    </cfform>

    ccsimmons Guest

  2. #2

    Default Re: Put me out of my misery

    Wouldn't it be simpler to only display the employees the user may edit and use
    a link intstead of a form?

    Originally posted by: ccsimmons
    I have looked far and wide for this and maybe I am just missing something. I
    am using cftree to show a list of employess with various information about
    them. I want to be able to click the user name in the tree an have that submit
    a form to the page that allows editing of the user. I want to be able to pass
    the id via the form and not in the querystring because not everyone is
    authorized to edit each user.





    Dan Guest

  3. #3

    Default Re: Put me out of my misery

    I don't know how secure your application is supposed to be, but it's really not
    that hard to modify the values of form variables from a client. Passing
    sensitive infomation in the form scope in no more secure than passing it in the
    url scope, it's just not as directly visible.

    maxell Guest

  4. #4

    Default Re: Put me out of my misery

    ccsimmons,

    I agree with MAXELL. You shouldn't depend on "hiding" the values alone for a
    security or authorization mechanism. It's almost as easy for users to hack a
    simple form as it is to alter a url query string.

    I'm assuming your application already uses some sort of login mechanism
    (session variables, cookies, etc...). If users must have authorization to edit
    a record, you should perform a secondary verification on the edit/action page.
    If the user is not authorized to edit a record, show an error message
    indicating they don't have permission.



    mxstu Guest

  5. #5

    Default Re: Put me out of my misery

    Whether you get there by form or URL, you really need to check permissions at
    the target page. Even inncocent users will accidentally bypass your security
    otherwise.

    Once that issue is solved, hiding the user ID should be less important.

    If you still want to hide it, using a form post can be a PART of your security
    strategy (security by obscurity will stop the good guys but not the bad guys --
    as was already mentioned).

    However, it will require some work to do with CFTREE.
    Here's one possible approach:
    For each tree item, create a separate form with the user ID in a "hidden"
    field.
    Create a javascript function that submits forms by form ID.
    For the cftreeitem, you would use the href field somthing like this:
    href="javascript:alert('You are not authorized.');"
    ... for low privilege users OR
    href="javascript:MyEditFunction('FormID_X');"
    ... for authorized users.

    Note that this is a lot of work for a little gain. The best use of resources
    would be to make sure that Bad guys can't do anything wrong even if they know
    the user ID (and they will).
    Don't use sensitive ID's like SSN, etc.



    MikerRoo Guest

Similar Threads

  1. Panther/Mx/FH10/ Misery.BEWARE
    By DTPR webforumsuser@macromedia.com in forum Macromedia Freehand
    Replies: 17
    Last Post: December 10th, 05:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139