Re: [WebDNA] Search on a database
This WebDNA talk-list message is from 2012
It keeps the original formatting.
numero = 108775
interpreted = N
texte = > The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "
..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [URL][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [URL][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda=
Associated Messages, from the most recent to the oldest:
> The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [url][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [url][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda=
Govinda
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Triggers (1999)
PROBLEM (1997)
Calendar (1997)
creating an email message (1998)
Cart doesn't interpret tag! (1997)
WebDelivery downloads alias, not original ? (1997)
another problem (1997)
Aaron kant add (or whatever it was) (2000)
Weird NT mail (1998)
A question about security (1998)
Cold Fusion Buster (1997)
[shownext] (1998)
Appending current [date] to a database (1997)
(1997)
WebStar Secure on other machine (1997)
WCS Newbie question (1997)
help! problem using [referrer] still in 2.01 (1997)
WebDNA Server Not Running (2005)
TCPConnect to query for Domain expiration (2000)
Searching on 3 different fields *CORRECTION* (2003)