Check Box Updating
- makitso
- OFFLINE
-
New Member
- Posts: 10
- Thanks: 0
- Karma: 0
13 years 5 months ago #146448
by makitso
Replied by makitso on topic Re:Check Box Updating
Kyle,
Thank you for the insight on how CB works.
I am a little puzzled however on the different approaches you describe for how CB handles checkbox and text fields. It would seem to me that NOT updating the database for a disabled checkbox field would prevent tampering just like the text field.
I am less concerned about a jQuery vulnerability since this activity would only be on the profile page -- that can only be reached via a valid login.
Writing a new fieldtype plugin sounds like a lot of work. However if I can find the core code that does the above check I would be willing to change it for our site since we already have several other core changes.
Thanks for your help
Thank you for the insight on how CB works.
I am a little puzzled however on the different approaches you describe for how CB handles checkbox and text fields. It would seem to me that NOT updating the database for a disabled checkbox field would prevent tampering just like the text field.
I am less concerned about a jQuery vulnerability since this activity would only be on the profile page -- that can only be reached via a valid login.
Writing a new fieldtype plugin sounds like a lot of work. However if I can find the core code that does the above check I would be willing to change it for our site since we already have several other core changes.
Thanks for your help
Please Log in to join the conversation.
krileon
Team Member- ONLINE
- Posts: 68596
- Thanks: 9104
- Karma: 1434
13 years 5 months ago #146487
by krileon
You could also within your jQuery change the name and ID of the field to something random or something like 1234 and it will NOT update the users database row as a field of say 1234 doesn't exist, so it won't bind to the users object. This also avoids the vulnerability of the user editing the field from dom.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Replied by krileon on topic Re:Check Box Updating
A disabled field still posts, this is typical HTML form behavior. The code which handles a post is what determines what to do. The read only feature tells the code which handles the post to ignore them. This is because blank values are supported.I am a little puzzled however on the different approaches you describe for how CB handles checkbox and text fields. It would seem to me that NOT updating the database for a disabled checkbox field would prevent tampering just like the text field.
That's fine, but am just informing you of the risk.I am less concerned about a jQuery vulnerability since this activity would only be on the profile page -- that can only be reached via a valid login.
Depending on your needs it can be, but is much more secure and functional as well as easily ported to other installations or you could even sell the plugin. We've documentation subscriber ajax text and file fieldtype plugins that can help get you started.Writing a new fieldtype plugin sounds like a lot of work. However if I can find the core code that does the above check I would be willing to change it for our site since we already have several other core changes.
You could also within your jQuery change the name and ID of the field to something random or something like 1234 and it will NOT update the users database row as a field of say 1234 doesn't exist, so it won't bind to the users object. This also avoids the vulnerability of the user editing the field from dom.
Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Please Log in to join the conversation.
Moderators: beat, nant, krileon
Time to create page: 0.154 seconds
