|
| |
|
|
travismp
Posts: 244
Joined: 2/1/2002
From: hutchinson ks USA
Status: offline
 |
need help BAD! refresh issue - 7/30/2008 12:24:37
I am using frontpage 2000 on an IIS 5 sever. Right now I have a page with this code
fp_sQry="SELECT * FROM qry_EMPLOYEE_LISTING_VIEW WHERE WebUserName='"&session("Username")&"' ORDER BY EmployeeLast ASC"
which loads perfect when my user clickss the link. It will show the records for their company based on the session login. There is a 'delete' form on this page, my user will see their records, click a box on any record they wish to delete, then click the delete button. At this point the page will refresh itself and show the records for that company minus the ones delted. Works great. TWICE now I have had users that once they click delete and the page refreshes it shows ALL records in the DB, not just those for their company. My boss is really mad at me because it is a "security Issue". It almost seems on the refresh it is no longer looking at the WHERE clause of the statement.
What could be causing this behavior, how do I fix this? Can anyone help?
|
|
|
|
pd_it_guy
Posts: 191
Joined: 3/4/2008
Status: offline
|
RE: need help BAD! refresh issue - 7/30/2008 12:35:14
-can you replicate the complaint and verify it is really happening.
-what param decides what records return to user. if the username variable somehow reverts to one that allows all records not just the right ones verify by hard coding actual username and see if that stabilizes things.
| |
|
|
|
ou812
Posts: 1601
Joined: 1/5/2002
From: San Diego
Status: offline
|
RE: need help BAD! refresh issue - 7/30/2008 13:02:31
My initial thought would be you are losing your session variable and that is causing the query to return all records. Maybe too many sessions opened or too long??? Not sure why it would return them all instead of none though. Without the session variable your query would look like this:
SELECT * FROM qry_EMPLOYEE_LISTING_VIEW WHERE WebUserName='' ORDER BY EmployeeLast ASC
Again, not sure why it would return all records, but maybe hard code that query and try it and see. And if so, and you probably should anyway, get rid of the session variable in your query, and store the session as a variable. Or if not able to get away from using a session, for whatever reason(?), and you are losing it, maybe you can extend the timeout of sessions. They're defaulted to 20 minutes, I believe.
_____________________________
-brian
EnterpriseDB: Enterprise-class relational database management system
PostgreSQL: The world's most advanced open source database
| |
|
|
|
travismp
Posts: 244
Joined: 2/1/2002
From: hutchinson ks USA
Status: offline
|
RE: need help BAD! refresh issue - 7/30/2008 14:35:11
thank you OU, my time out is set to 55 minutes for another reason and I get around 100 logins per day. Could this be an issue? I can restrict the timeout time if need be if that may help.
You think by taking off the session variable that may make the issue go away too? I can certainally do that.
thank you so far, it has not been my day at all.
| |
|
|
|
ou812
Posts: 1601
Joined: 1/5/2002
From: San Diego
Status: offline
|
RE: need help BAD! refresh issue - 7/30/2008 15:02:37
It's hard to say without seeing the entire application what is really going on. 55 minutes is a pretty long time, but it really depends on how long your users are on, from when they login and set the initial session, until they are running/deleting entries. These couple of incidents could have been from expired sessions. 100 logins/day is nothing to worry about, but if they're all doing this at the same time, or withing an hour, because of the 55 minute sessions timer, and you have 10 different types of sessions per login, and then who knows what else is going on with the server (in house? shared?) and sessions, it could be a problem.
The first step I would take is to run the query like above, and see what it does just to give you an idea of results:
SELECT * FROM qry_EMPLOYEE_LISTING_VIEW WHERE WebUserName='' ORDER BY EmployeeLast ASC
Either way, I would probably get rid of using a sessions for the query, IF your user can hang out all day on the screen and then decide to run the query 90 minutes later. OR, prior to running this query, or any other query or process that uses a session variable, you could check the session variable to insure it is still there. If not, have them login again, with a message explaining their login timed out.
To me, it just really points to something going on with the query. I would try and stabilize the query, by either capturing the session initially into a variable and using that variable instead or checking to see if the session is still alive prior to executing the query.
And, as PD IT guy referred to, is there some username that can display all people? Or can you somehow duplicate manually what they're seeing, to see how the query may be doing it.
_____________________________
-brian
EnterpriseDB: Enterprise-class relational database management system
PostgreSQL: The world's most advanced open source database
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
