You mention that these users have the ability to alter the database.
Answer> It the cgi that interfaces with the database and tables and display's the information in a webform that the users can update and submit. They do not interface directly with the database, only through a webform.
You mention that these users have the ability to alter the database. How are they logged in?
Answer> Until now I thought they were logging into the PostNuke frontpage and following the links I provided. These links use the "PostWrap" module which basically places the target cgi into a frame within the current page, giving the impression it is part of the overall site design.
Unfortunately I have just tested the some of the links and they are viewable without logging into the PostNuke interface. Not what I was expecting.
Do they even have to be logged in to access this CGI tool?
Answer> As stated above, no they do not. I was under the impression they did.
If they don't, then that's your problem right there and you may be limited to only being able to store info like IP address.
Answer>I am already capturing their IP address in a hidden feild on the web form using javascript. Luckily there are only a few (less than 20) individuals that currently use these tools and all are static IP's and easily tracked. There has been a request to expand its capabilities after the first of the year and there potentially will be more than 100 potential users. Tracking these users by IP will be more dificult as almost all of the new users will be NAT'd behind 2 or 3 Ip's.
I'm going to research locking down a few of these directories with a secondary authentication. I do not like that these pages can be viewed without being logged into the PostNuke Interface.
In reply to Re^2: PHP username information
by Dranzaz
in thread PHP username information
by Dranzaz
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |