NYCPHP Meetup

NYPHP.org

[nycphp-talk] Not-so-subtle attack on PHP

Kenneth Downs ken at secdat.com
Fri Sep 28 16:18:44 EDT 2007 

John Campbell wrote:
> That makes sense to me, I have never considered using eleventy
> thousand views.  Is managing all of those views a problem?  Do you
> create the views on the fly, or are they "fixed" when you create the
> new user account?  How do you alter the views?
>   

no no no no no no no.

If the server supports row-level security, all users access the table 
itself.  User A, with full powers, says:

SELECT * FROM examples

and sees:

COLUMN 1     |   COLUMN 2    |   USER_ID
-------------+---------------+--------------
Value xxxx   |  Value zzzz   |  Joe
abc-123      |  xyz-abc      |  Joe
tuscon       |  texas        |  Mary

When user Joe comes along, he issues exactly the same query, but he sees 
this:

COLUMN 1     |   COLUMN 2    |   USER_ID
-------------+---------------+--------------
Value xxxx   |  Value zzzz   |  Joe
abc-123      |  xyz-abc      |  Joe


The column-level is the same.  Let's say Joe was not allowed to see 
Column 2.  So joe says:

SELECT * FROM examples

he gets as his result:

COLUMN 1     |    USER_ID
-------------+--------------
Value xxxx   |    Joe
abc-123      |    Joe


You also need to know something about the concept of security roles or 
groups.  Joe is a member of a group, perhaps named "public", and the 
security assignment is made to the group, not to the user. 

The sad fact is that most servers do not support this directly, so you 
fake it out by creating one view per meaningful security definition.  In 
the most complicated Andromeda app a particular table has 4 different 
views for 200 users.  The framework then asks the server which view a 
particular user should use.  That particular view gives the effects 
described above.  If they try to user a different view they are denied 
access.//


> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070928/7bc50911/attachment.html>

More information about the talk mailing list