Participants Dabatase: protecting records with password

  • Hello,

    This is an incredible plugin! I am thinking about using it to create a members registry – it looks almost perfect for this – but it is crucial that each individual record is protected by a stronger mechanism than a 5-chars URL code.

    Two ways I can think of:

    1. Linking records with WordPress user profiles. Unquestionalbly the best solution. But you wrote on your blog that it’s not that simple. I wonder whether you – or any other programmer here – has come up with any solution since that time, and would be willing to share. BTW, Front End Users can’t be used because the plugin is not sufficiently customisable nor allows for CSV import/export.

    2. Protecting record pages with individual passwords (for example, through native WordPress password functionality) and making those passwords available to users. No idea whether this can be achieved in a simple way.

    3. Using hashes of a greater number of digits than 5-6. Say, 20-50. This, coupled with some sort of 404-detecting plugin, could give a reasonable protection against guessing attacks.

    I will be grateful for any hints.

    k.

    https://www.ads-software.com/plugins/participants-database/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author xnau webdesign

    (@xnau)

    The plugin was not designed for high-security applications, so I don’t recommend you use it for anything you really need strong protection for. You are free to modify the plugin for your purposes, but I don’t support it, you’ll be on your own.

    The best way to improve the security of the plugin is to require your users to log in, then link the plugin records to that user’s identity. Yes, it’s a bit complicated, but it’s not difficult if you have some WP dev skills. I do give you the basic steps to achieve this.

    It’s not difficult to increase the number of characters used in the “private link” you should use the filter ‘pdb-private_id_length’ to set your desired length. Be aware that there are only 6 characters stored ( VARCHAR(6) ) in the database for that field, you’ll need to alter the database to allow more characters to be stored there.

    Thread Starter kashmiri

    (@kashmiri)

    Thank you for replying. My database actually has to hold sensitive data (health related), so I guess I will look for a plugin offering more security – with big regret because Participants Database really feels great.

    @kashmiri

    I am curious to know if you have come up with a solution to your problem. I am looking to do something similar involving applications.

    I’m wanting specific PDB records (applications) to be available only to specific members, so that the only members to access the records are those that have been applied to and the one who submitted the application.

    I know there are plugins that do this with simple employment applications, but like you, my information needs to be more detailed and secure.

    So far, my only solution would be to create a plugin that creates a relationship table between login IDs and only display the applications that match. One member might submit the application to many recipients.

    The PDB plugin would need to be modified to create a more secure PDB ID to something similar to the random private ID since it would be too easy to enter the ID using /pdb-single/?pdb=1 or filter the search so that there is a match.

    @xnau I welcome any suggestions or tips to make this work. Great plugin BTW.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Participants Dabatase: protecting records with password’ is closed to new replies.