Re: [WebDNA] Search on a database

This WebDNA talk-list message is from

2012

It keeps the original formatting. numero = 108775
interpreted = N
texte = > The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [URL][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [URL][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda= Associated Messages, from the most recent to the oldest:

Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Lori Palmquist 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Lori Palmquist 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Lori Palmquist 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Lori Palmquist 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Lori Palmquist 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (Lori Palmquist 2012)
Re: [WebDNA] Search on a database (Govinda 2012)
Re: [WebDNA] Search on a database (aaronmichaelmusic@gmail.com 2012)
[WebDNA] Search on a database (Lori Palmquist 2012)

> The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [url][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [url][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda= Govinda

DOWNLOAD WEBDNA NOW!

Re: [WebDNA] Search on a database

2012

Top Articles:

Related Readings: