Re: [WebDNA] Search on a database
This WebDNA talk-list message is from 2012
It keeps the original formatting.
numero = 108775
interpreted = N
texte = > The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "
..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [URL][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [URL][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda=
Associated Messages, from the most recent to the oldest:
> The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [url][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [url][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda=
Govinda
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Encyption mail was Suggestions for Topics ... (1998)
[OT] Read and weep (2003)
Emailer Problems with WebCat (2000)
WebCat2_Mac RETURNs in .db (1997)
using showpage and showcart commands (1996)
customer info (2001)
[WebDNA] Auto Expansion of .zip (2009)
creating a ShipCosts database (1997)
Discounts: Buy One, Get One =?ISO-8859-1?Q?99=A2?= (2004)
[SearchString] problem with [search] context (1997)
Cart Creation (1998)
Web Merchant process after credit card clears (1998)
Replace Statement (1997)
Semi OT: vbulletin and # viewing - how do that do that? (2003)
[time] math Q (2003)
Locking up with WebCatalog... (1997)
Forms (1997)
[sendmail] and [formvariables] (1997)
Signal Raised Error (Part II) (1997)
WebDNA 6.0a for Apache 2.2.4 (2007)