Re: [WebDNA] PCI Vulnerability testing

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102401
interpreted = N
texte = [text][url][name][/url]=[input][value][/input][/text] ^^^ This line is used to totally clean the input. WebDNA manages variables in different levels. Whatever level you are in right now will use the most recently declared set of variables. A level can be viewed as any looping construct, like [loop] or [founditems], etc... So here's how that line of code works... [formvariables] will give you all the variables incoming to the page. You can then create another set of identical variables with the same name using [url][name][/url]. This new set of variables will become the actual variables that are used on the page, instead of the [formvariables]. When you [url] all of the names you effectively kill all attacks because all the bad characters are converted to url'd values. The re-declaration of all the variables will not hurt your variables in any way since normal variable names don't have strange characters... so they pass right through unharmed. Matthew A Perosi JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com Govinda wrote: > > On Apr 13, 2009, at 1:35 PM, Psi Prime, Matthew A Perosi wrote: > >> This seems to work for me. >> It seems to stand up to the attacks from McAfee Secure >> >> [formvariables] >> [showif [url][name][/url]^script>][redirect /index.html][/showif] >> [showif [url][name][/url]^iframe][redirect /index.html][/showif] > >> >> [text][url][name][/url]=[input][value][/input][/text] > > what is this line ^^^ for in this context? > >> >> [/formvariables] >> [showif [countchars][cart][/countchars]>18][redirect >> /index.html][/showif] >> >> Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  2. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  3. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  4. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  5. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  6. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  7. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  8. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  9. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  10. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  11. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  12. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  13. Re: [WebDNA] PCI Vulnerability testing (Marc Thompson 2009)
  14. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  15. [WebDNA] PCI Vulnerability testing (Bob Minor 2009)
[text][url][name][/url]=[input][value][/input][/text] ^^^ This line is used to totally clean the input. WebDNA manages variables in different levels. Whatever level you are in right now will use the most recently declared set of variables. A level can be viewed as any looping construct, like [loop] or [founditems], etc... So here's how that line of code works... [formvariables] will give you all the variables incoming to the page. You can then create another set of identical variables with the same name using [url][name][/url]. This new set of variables will become the actual variables that are used on the page, instead of the [formvariables]. When you [url] all of the names you effectively kill all attacks because all the bad characters are converted to url'd values. The re-declaration of all the variables will not hurt your variables in any way since normal variable names don't have strange characters... so they pass right through unharmed. Matthew A Perosi JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com Govinda wrote: > > On Apr 13, 2009, at 1:35 PM, Psi Prime, Matthew A Perosi wrote: > >> This seems to work for me. >> It seems to stand up to the attacks from McAfee Secure >> >> [formvariables] >> [showif [url][name][/url]^script>][redirect /index.html][/showif] >> [showif [url][name][/url]^iframe][redirect /index.html][/showif] > >> >> [text][url][name][/url]=[input][value][/input][/text] > > what is this line ^^^ for in this context? > >> >> [/formvariables] >> [showif [countchars][cart][/countchars]>18][redirect >> /index.html][/showif] >> >> "Psi Prime, Matthew A Perosi "

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Cookies and webcat (1997) Cart Number sequence (1997) WebCat2 beta 11 - new prefs ... (1997) Web Catalog vs. ICAT (1997) [date] for today's date, while inside old order file (1998) Migrating to NT (1997) RE: groups and [ShowNext] (1997) Separate SSL Server (1997) [OT] PHP?MySQL Help Needed (2003) X etc.... (1999) WebCat2b13MacPlugin - nested [xxx] contexts (1997) TCP Connect code for SMTP transaction (2004) [WebDNA] Triggers not working (2011) [isfile] ? (1997) ReturnRaw followup (1999) Verifying both name and password (was: New Problem) (1997) WebCat2b15MacPlugin - showing [math] (1997) Netscape 3.01 can't see db in form (1997) [OT] Ratings comparison? (2003) multi-paragraph fields (1997)