Re: [Feature Request] Stronghold security variables that cannot beforce as formvariables

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 29589
interpreted = N
texte = Nicolas I don't know if yo saw the posts by SM on this over the last couple weeks or not... I think they said webcat 4 would take care of this, but meanwhile you can use-[showif [FormVariables name=IsAdmin&exact=T][value][/FormVariables]!] user is trying to hack in! [redirect ...] (goes to the same page *without* the &IsAdmin=digit) [/showif]Unless I goofed up (this is just from memory)... but you probably got the idea.-JohnNicolas Verhaeghe wrote:> Say you have a form which helps you administer users. Some of these users > can be set to administrators or downgraded to simple users. > > Say you have a variable, IsAdmin, for instance, you wish to set to 0 or > 1 in order to set to administrator, and place in a [replace] context or a > [SQL] call. > > For security purposes, you do not want to let this variable IsAdmin appear > in the form. In the form, you use something like Administrator and you set > it to Yes or No. Then a duo of [Showif] in the template (or the section > of the template) that treats the datas returned by the form will do the > transformation into the IsAdmin variable. > > Say this form is also used by people who are adminitrators at a lower level > and you do not want them to be able to name other administrators or even > downgrade you. > > You do not want them to be able to add &IsSuperAdmin=1 to their own settings > or &IsAdmin=1 to somebody else or even &IsSuperAdmin=0 to your own setting. > > Adding &IsSuperAdmin=1 to the URL will make this variable a formvariable and > your script will not be able to force it to 0 or anything else. > > Of course, they have to know the name of the variables you use, but: > > 1- They can always give it a try and maybe guess one of them > 2- You may have fired your (or one of your) WebDNA programmer(s), and he > knows the templates and the names of the variables > > Solution to case 1 is to use complicated names for those variables you do > not wish somebody to force to what they want. But it is not 100% sure. > > Solution to case 2 is to reprogram the scripts (costly) or keep your WebDNA > programmer, even if he acts like .... > > The great idea would be variables which names show that they cannot be > forced as formvariables. Something like: > > [$IsAdmin] or anything like that would be great. > > WebCatalog have to know that a formvariable starting with this $ sign > should not be imported. > > Err... Either this already exists and I don't know it yet, or it does not > and please, if you could add this to WebCatalog, even version 3.0.x, that > would be great! > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: [Feature Request] Stronghold security variables that cannot beforce as formvariables (John Butler 2000)
Nicolas I don't know if yo saw the posts by SM on this over the last couple weeks or not... I think they said webcat 4 would take care of this, but meanwhile you can use-[showif [FormVariables name=IsAdmin&exact=T][value][/FormVariables]!] user is trying to hack in! [redirect ...] (goes to the same page *without* the &IsAdmin=digit) [/showif]Unless I goofed up (this is just from memory)... but you probably got the idea.-JohnNicolas Verhaeghe wrote:> Say you have a form which helps you administer users. Some of these users > can be set to administrators or downgraded to simple users. > > Say you have a variable, IsAdmin, for instance, you wish to set to 0 or > 1 in order to set to administrator, and place in a [replace] context or a > [SQL] call. > > For security purposes, you do not want to let this variable IsAdmin appear > in the form. In the form, you use something like Administrator and you set > it to Yes or No. Then a duo of [showif] in the template (or the section > of the template) that treats the datas returned by the form will do the > transformation into the IsAdmin variable. > > Say this form is also used by people who are adminitrators at a lower level > and you do not want them to be able to name other administrators or even > downgrade you. > > You do not want them to be able to add &IsSuperAdmin=1 to their own settings > or &IsAdmin=1 to somebody else or even &IsSuperAdmin=0 to your own setting. > > Adding &IsSuperAdmin=1 to the URL will make this variable a formvariable and > your script will not be able to force it to 0 or anything else. > > Of course, they have to know the name of the variables you use, but: > > 1- They can always give it a try and maybe guess one of them > 2- You may have fired your (or one of your) WebDNA programmer(s), and he > knows the templates and the names of the variables > > Solution to case 1 is to use complicated names for those variables you do > not wish somebody to force to what they want. But it is not 100% sure. > > Solution to case 2 is to reprogram the scripts (costly) or keep your WebDNA > programmer, even if he acts like .... > > The great idea would be variables which names show that they cannot be > forced as formvariables. Something like: > > [$IsAdmin] or anything like that would be great. > > WebCatalog have to know that a formvariable starting with this $ sign > should not be imported. > > Err... Either this already exists and I don't know it yet, or it does not > and please, if you could add this to WebCatalog, even version 3.0.x, that > would be great! > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to John Butler

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

two unique banners on one page (1997) Error Lob.db records error message not name (1997) 'does not contain' operator needed ... (1997) Question (1997) Privacy Issue (Built in sniffer) (2003) Stumpted Again (1997) Replacing a Word (1999) [WebDNA] Yet another call for hosts... (2009) Corrupt Database Problem... (2000) [convertChars] and HTML Tags (1997) Announcement-WebCatalog 2.0 Released (1997) More news on 5.0 (2003) error: unknown exception (1998) WebDNA Writer Needed (1997) Re:2nd WebCatalog2 Feature Request (1996) newbie question about zip code search (2003) Word wrapping (1997) [ShowIf] and empty fields (1997) [WriteFile] problems (1997) WCS Newbie question (1997)