1 Reply Latest reply on Oct 4, 2006 5:49 AM by Dan Bracuk

    Hidden forms fields and using hash checksums.

    Level 7
      I have a admin page on my site that lists users ina group. Administrators
      can delete their users. To make things nice and secure I want to use hidden
      form fields to pass the id variable for the record/s to delete.

      I know ive got the hash implementation wrong, can anyone help me out? I
      think i should be hashing the remove checkfield.



      Form that list users.
      --------------------------
      <cfform name="form" id="form" method="post" action="admin_delete_user.cfm">

      <table width="100%" cellpadding="0" cellspacing="0" border="0"
      summary="Users">
      <tr>
      <td width="20%">Edit</td>
      <td width="40%">Email</td>
      <td width="20%">User Type</td>
      <td width="20%">Update</td>

      </tr>
      <cfoutput query="query"><cfset Count = Count+1><tr>
      <td width="15%">#query.first_name# #query.last_name#</td>
      <td width="40%">#query.email#</td>
      <td width="20%">#query.user_type#</td>
      <td width="20%"><cfinput type="checkbox" name="Remove" value="#query.id#"
      >
      <input type="submit" class="btn" value="Delete">
      <input type="hidden" name="checksum" value="#hash(query.id)#" />
      <input type="hidden" name="RecordCount" value="#Count#">
      </td></tr></cfoutput>
      </table>
      </cfform>


      submit - admin_delete_user.cfm
      --------------------------
      <cfif hash(form.remove) NEQ form.checksum>
      Remove id does not equal checksum<br />
      Hash Id <cfoutput>#form.remove#</cfoutput><br />
      Checksum <cfoutput>#form.checksum#</cfoutput>
      <cfabort>
      </cfif>

      <cfif trim(client.admin) EQ "administrator" AND isdefined("form.Remove")>
      <cfquery name="query" datasource="#client.dsn#"
      username="#client.username#" password="#client.password#">
      delete from xxxx where id in
      (#form.remove#)
      </cfquery>

      <cfelse>
      <cflocation url = "admin_users.cfm">
      </cfif>
      <cflocation url = "admin_users.cfm">