NYCPHP Meetup

NYPHP.org

[nycphp-talk] Operation must use an updateable query.

rinaldy roy rinaldy_roy at yahoo.com
Fri Aug 26 06:01:15 EDT 2005


 I've just started my first  HTML and MS Acces as below, but come up with error:
 

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Operation must use an updateable query.
/pelanggan_tulis_2.asp, line 20



Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 


Page:
POST 24 bytes to /pelanggan_tulis_2.asp 


POST Data:
Ipelanggan=aa&Ialamat=bb 
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
 <title>CekCon</title>
</head>
<body>
<%
ipelanggan=Request("Ipelanggan")
ialamat=Request("Ialamat")
' Set koneksi ke database
Set conn=Server.Createobject( "ADODB.Connection" )
      conn.Mode = 3 ' adModeReadWrite 
   conn.Open "DSN=pelanggan;uid=Admin;pwd=;"
   Set rs = Server.CreateObject("ADODB.Recordset")
   sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)"
   sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')"
   set RS=Conn.Execute(SQL)
Response.write "data masuk"
%>
</body>
</html>

 
---------------
How to fix it?
 
RRY
talk-request at lists.nyphp.org wrote:
Send talk mailing list submissions to
talk at lists.nyphp.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.nyphp.org/mailman/listinfo/talk
or, via email, send a message with subject or body 'help' to
talk-request at lists.nyphp.org

You can reach the person managing the list at
talk-owner at lists.nyphp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of talk digest..."


Today's Topics:

1. MD5 + Flash (-sry Boston)
2. Re: MD5 + Flash (Hans Zaunere)
3. OWASP 9/29 Save The Date (Thomas Brennan)
4. Re: Session basics (Billy Pilgrim)
5. Re: MD5 + Flash (csnyder)


----------------------------------------------------------------------

Message: 1
Date: Sun, 21 Aug 2005 13:23:30 -0500
From: "-sry Boston" 
Subject: [nycphp-talk] MD5 + Flash
To: talk at lists.nyphp.org
Message-ID: 
Content-Type: text/plain; format=flowed

Hiya,

If you're over on WWWAC you've already seen this but I'm asking here
from another slant. I have no idea what I can or can't do withOUT
having to create/manage a mySQL db...my server will let me do this
easily enough but it's been over a year since I've thought of PHP or
mySQL and I don't want to get so distracted by the programming
mindset that I forget what I was doing in the first place (trying to
do some marketing).

Below is the process I'm trying to implement - step 5 is where I'm
fuzzy...I know I could definitely have the URL come back to a
PHP page that looks up the string in a db (and a very simple one,
I'm sure, since it's just a list) but I'd rather just have the URL come
back to the Flash file and do the checking from within the .swf,
with ActionScript - is that easier or harder? Since you guys all love
PHP and probably only half of you even like AS, I know it's a biased
answer I'll get :-) but try to be objective and not play favorites
on the languages here.

What I want to do:

(1) user gives me email address

(2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
and a very nice script actually!!) I MD5 their email address

(3) I send user a message (to validate the address works) that has
their MD5'd address as a link for them to come back and get what
they want

(4) user clicks unique query string in the email I've sent them

(4) I validate the string .....how/from where is the ??? :)

(5) if valid, give them the Flash file; if not, give them an error message

Any help much appreciated!

-sry
Sarah R. Yoffa
http://books.sarahryoffa.com/
books at sarahryoffa.com
*********************
Look for the exciting release of the newly-edited
THE PHOENIX SHALL RISE AGAIN
Coming to online booksellers - New Year's 2006.
*********************

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



------------------------------

Message: 2
Date: Sun, 21 Aug 2005 17:45:41 -0400
From: "Hans Zaunere" 

Subject: Re: [nycphp-talk] MD5 + Flash
To: "'NYPHP Talk'" 
Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net>
Content-Type: text/plain; charset="us-ascii"



talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM:
> Hiya,
> 
> If you're over on WWWAC you've already seen this but I'm asking here
> from another slant. I have no idea what I can or can't do withOUT
> having to create/manage a mySQL db...my server will let me do this
> easily enough but it's been over a year since I've thought of PHP or
> mySQL and I don't want to get so distracted by the programming
> mindset that I forget what I was doing in the first place (trying to
> do some marketing). 
> 
> Below is the process I'm trying to implement - step 5 is where I'm
> fuzzy...I know I could definitely have the URL come back to a
> PHP page that looks up the string in a db (and a very simple one,
> I'm sure, since it's just a list) but I'd rather just have
> the URL come
> back to the Flash file and do the checking from within the .swf,
> with ActionScript - is that easier or harder? Since you guys all love
> PHP and probably only half of you even like AS, I know it's a biased
> answer I'll get :-) but try to be objective and not play favorites on
> the languages here. 
> 
> What I want to do:
> 
> (1) user gives me email address
> 
> (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> and a very nice script actually!!) I MD5 their email address
> 
> (3) I send user a message (to validate the address works) that has
> their MD5'd address as a link for them to come back and get what they
> want 
> 
> (4) user clicks unique query string in the email I've sent them
> 
> (4) I validate the string .....how/from where is the ??? :)
> 
> (5) if valid, give them the Flash file; if not, give them an
> error message

You could do all of this with just Flash, etc. assuming Flash has MD5, as
I'm sure it does, but you'll be limited. If you want to track who has
downloaded what files, the browser they're using, etc. you won't be able to
do so without a DB.

There's also a security concern here. There's no way to know that the email
address you've gotten originally, is the same as the one that's coming from
the link. Since you're not storing anything anywhere, you have no way to
keep persistent data. If I know that you're checking that an MD5 matches
the MD5 of the email address, I can pass you any MD5 I want, and it'll
validate.

H



------------------------------

Message: 3
Date: Sun, 21 Aug 2005 20:16:17 -0400
From: "Thomas Brennan" 
Subject: [nycphp-talk] OWASP 9/29 Save The Date
To: 
Message-ID:
<1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net>
Content-Type: text/plain; charset="US-ASCII"

I would like to provide you with advanced notice and extend a special
invite for you to join us at the next Open Web Application Security
Meeting (OWASP) NJ Chapter meeting. The next event will be held at
September 29th at ABN AMRO in Jersey City (across from the path station)
- full details, speakers and RSVP information is located at the chapter
website online:

http://www.owasp.org/local/nnj.html

Currently on the September Agenda:

SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released
at BlackHat 

SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management


SPEAKER - Application Security - Topic: Database Attacks 

SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks

** You are encouraged to forward this email to others that you believe
would benefit from this non-profit, educational peer-to-peer networking
opportunity -- RSVP is required due to building security requirements
see: http://www.owasp.org/local/nnj.html for details.

At our November meeting we are looking forward to having NYPHP/Hans
Zaunere speak concerning PHP Security Issues

Enjoy the rest of your summer!

Thomas Brennan, CISSP, CFSO, MCSA, C|EH
DATA SAFE SERVICES
"Because Security is NOT the default"
831-B Route 10 East, Whippany NJ 07981
Tel: 973-795-1046 | Fax: 973-428-0293
Web: www.datasafeservices.com


------------------------------

Message: 4
Date: Sun, 21 Aug 2005 22:48:19 -0400
From: Billy Pilgrim 
Subject: Re: [nycphp-talk] Session basics
To: NYPHP Talk 
Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On 8/19/05, Chris Shiflett wrote:
> Aaron Fischer wrote:
> > If the session has expired such as in browser close or timeout, the
> > bookmarked page won't be a liability as the session id in the URL won't
> > find a matching session id on the server.
> 
> The server doesn't know when the browser is closed, so that part's not
> right. It is true that a session timeout (on the server side) offers
> some protection against this type of accidental hijacking.

A bookmarked session id might not result in a hijacked session, but
it's not a good idea have session ids exposed and kept around like
that.

Consider another example: Someone is logged into a newspaper site and
sees an interesing article. The user copies the url (with session id)
and pastes it in an email to a friend. If the friend receives the
email quickly and the server has a long timeout, accidential session
hijacking could occur.

The primary reason to have a session id in the url is if the browser
doesn't support cookies, right?


------------------------------

Message: 5
Date: Mon, 22 Aug 2005 08:35:30 -0400
From: csnyder 
Subject: Re: [nycphp-talk] MD5 + Flash
To: NYPHP Talk 
Message-ID: 
Content-Type: text/plain; charset=ISO-8859-1

On 8/21/05, -sry Boston wrote:

> What I want to do:
> 
> (1) user gives me email address
> 
> (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> and a very nice script actually!!) I MD5 their email address
> 
> (3) I send user a message (to validate the address works) that has
> their MD5'd address as a link for them to come back and get what
> they want
> 
> (4) user clicks unique query string in the email I've sent them
> 
> (4) I validate the string .....how/from where is the ??? :)
> 
> (5) if valid, give them the Flash file; if not, give them an error message
> 
> Any help much appreciated!

I think you have the purpose of the MD5 hash confused. In this case,
you want it to be an *unguessable* token that the user can bring back
to you to prove that they got they got your validation message, and
that they own the mailbox associated with the provided email address.

In other words, it should be random. If it's just the hash of their
email address, then an impersonator could easily generate the right
token and validate an address that isn't their own (as Hans pointed
out).

You will need some sort of DB -- MySQL or flat file or otherwise -- to
store the email address and the random token in the same record, so
that when the user clicks the link with the token in it, you can look
up the email and mark it valid.

-- 
Chris Snyder
http://chxo.com/


------------------------------

_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk


End of talk Digest, Vol 27, Issue 50
************************************

		
---------------------------------
 Start your day with Yahoo! - make it your home page 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050826/a955d89f/attachment.html>


More information about the talk mailing list