[3488] in WWW Security List Archive
Re: Customized Queries
daemon@ATHENA.MIT.EDU (Michael Brennen)
Thu Nov 7 16:38:42 1996
Date: Thu, 7 Nov 1996 13:13:28 -0600 (CST)
From: Michael Brennen <mbrennen@fni.com>
To: Roberto Galoppini <rgaloppini@tim.it>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <3281D00E.7FBC@tim.it>
Errors-To: owner-www-security@ns2.rutgers.edu
You may be able to drive some of this with PHP and create the pages
dynamically based on a user ID tag that gets passed along from the initial
login page. You can learn more about PHP at http://www.vex.net/php/.
-- Michael
On Thu, 7 Nov 1996, Roberto Galoppini wrote:
> <ABSTRACT>
> I have to run a web-database application with sensitive-information on
> an Oracle Web Server and I need to distinguish the user in order to
> perform his/her queries on his/her data.
> </ABSTRACT>
>
> <AUTHENTICATION SCHEME>
> The application has an initial login procedure (it could be using
> the Oracle's security Access Control or a dedicated table) and
> then displays a home page where the user can choose from different kind
> of queries (so I need to keep the user-id through all the 'session').
> Does anybody have a clue on how to manage it ?
> </AUTHENTICATION SCHEME>
>
> <SOLUTION?>
> So far the only 'ideas' I got are:
> 1) using a different procedure for each user, encapsulating the user-id
> in all the queries. I won't suggest it to a friend ..
> 2) using an hidden TAG where put a 'pretty long' string who represent
> the user-id (so there is a table where user-id is mapped to this string
> and, eventually, it is changed on a daily basis ..)
> </SOLUTION?>
>
> Thanks in advance,
> Roberto Galoppini
> rgaloppini@tim.it
> "Even paranoids have enemies"
>
