Limiting Access to Non-employees

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
harrisonad
Forum Contributor
Posts: 288
Joined: Fri Oct 15, 2004 4:58 am
Location: Philippines
Contact:

Limiting Access to Non-employees

Post by harrisonad »

Hi, As you may know, I am an Intranet programmer for a certain company. One of the features of this intranet site is to let employees request technical problem by filling up a certain form that includes employee name to be selected from the list. This list are of course taken from local MySQL database used by the side, not the company database, which is MS SQL which is updated all the time.

I intentionally put the names in the list to prevent non-employees, including visitors, or those frankster playing around at the lounge, from posting their fictitious problem. It works fine for a couple of month, but the problem now is when new employees are hired. Their informations, including names, are not always seen by the MySQL database, because it is only copied from company database. Because of this I have to encode them manually for them to fillup the form.

Some said that I have to put a textbox for name input besides the employee list for those persons that are not in the list. But I don't want to do that for it will be the reason for non-employees to add their names and eventually access pages on the site.

What do you think will I do?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

what's the difference if the server grabs the employee information from the company database, or from you own? The only things I see is yours doesn't automatically replicate the company server.

You could use a cron to "update" you local database. The nice thing about using a local database is you can filter out people from the original a bit easier (pre-filtered) ... another thing is you could use a local table of exclusion information, those who do not want to be listed can then just be added there.

I don't quite see what a textbox would make problematic.. it should only try to match the name entered to an existing employee and send the message or whatever. It shouldn't ever change any records..
User avatar
harrisonad
Forum Contributor
Posts: 288
Joined: Fri Oct 15, 2004 4:58 am
Location: Philippines
Contact:

Post by harrisonad »

feyd wrote:... use a cron to "update" you local database.
Will CRON works with any DBMS such as MS SQL?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Sure why not? Have a cron execute a script performing these updates / syncronizes the dbs
User avatar
harrisonad
Forum Contributor
Posts: 288
Joined: Fri Oct 15, 2004 4:58 am
Location: Philippines
Contact:

Post by harrisonad »

Thanks, master Jcart. I will now study about CRON jobs.
feyd wrote:I don't quite see what a textbox would make problematic.. it should only try to match the name entered to an existing employee and send the message or whatever. It shouldn't ever change any records..
If I will put a textbox besides the list for 'unidentified employees', my plan is to put his name in the database together with the technical problem he is submitting. But the problem is about the structure of my tables being RELATIONAL. For the purpose of my problem, I will give the structures as well.

The employees table
employee_id | employee_name | etc.

The requests for service table
date | time | description | employee_id | etc.

The field employee_id of requests table is INT(4) and relies on employee_id of employee table for name, when the id doesn't exists, of course no name will be displayed, or even worse, the certain row will not be retrieved by the following query

Code: Select all

SELECT date,time,description,employees.emlpoyee_name
FROM requests,employees 
WHERE requests.emlpoyee_id=employees.employee_id
Whenever I used this code to retrieve all requests, it will leave out those submitted by not in the employee table.

Any thoughts?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I've actual run into a more complex situation which boils down to this.. any input?
Post Reply