Re: math variable security
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 33400
interpreted = N
texte = Actually that means nothing. I would not recommend the use of a shovel as ahammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text][math secure=f]error=0[/math]
then on my submitted page I do:[formvariables][showif [value]=][math show=f]error=error+1[/math][/showif][/formvariables][showif [error]>0][redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]][showif][fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovelworks fine. If I decide to make a security program I will be sure to avoidthis possible security hole, but on non secure/unimportant areas, why shouldI protect them like fort knox. This is just one example I have hundreds thatwork. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybedifficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, butunless you are opening a hole, there is no hole and therefore thisprogramming technique is valid. You may just need to think about what youare doing before you do it. I certainly won't be denying ipaddresses usingthis technique.Heck it doesn't make sense to remove capabilities for our own darn good.SincerelyRobert MinorDirector of Internet Services------------------------------------------------------------Cybermill Communicationshttp://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development andhosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support
> Reply-To: (WebCatalog Talk)> Date: Mon, 19 Jun 2000 21:49:03> To: (WebCatalog Talk)> Subject: Re: math variable security> > It was hard enough to add to text variables. It's difficult to> explain, but doing the same for [math] would be much harder. Not to> mention the fact that we don't recommend this un-secure use of either> text or math variables.-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/
Associated Messages, from the most recent to the oldest:
Actually that means nothing. I would not recommend the use of a shovel as ahammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text][math secure=f]error=0[/math]then on my submitted page I do:[formvariables][showif [value]=][math show=f]error=error+1[/math][/showif][/formvariables][showif [error]>0][redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]][showif][fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovelworks fine. If I decide to make a security program I will be sure to avoidthis possible security hole, but on non secure/unimportant areas, why shouldI protect them like fort knox. This is just one example I have hundreds thatwork. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybedifficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, butunless you are opening a hole, there is no hole and therefore thisprogramming technique is valid. You may just need to think about what youare doing before you do it. I certainly won't be denying ipaddresses usingthis technique.Heck it doesn't make sense to remove capabilities for our own darn good.SincerelyRobert MinorDirector of Internet Services------------------------------------------------------------Cybermill Communicationshttp://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development andhosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk)> Date: Mon, 19 Jun 2000 21:49:03> To: (WebCatalog Talk)> Subject: Re: math variable security> > It was hard enough to add to text variables. It's difficult to> explain, but doing the same for [math] would be much harder. Not to> mention the fact that we don't recommend this un-secure use of either> text or math variables.-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/
Bob Minor
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Sample Tea Room Search Error (1997)
Multiple download orders of the same product? (1997)
WebCat2b13 Command Reference Doc error (1997)
Database Field Additions (2000)
WebDNA on Windows questions (2007)
Reports of ErrorLog.txt not being written in Linux (2000)
Initiating NewCart (1997)
OFF-TOPIC: Check www.godaddy.com for me ... (2003)
WebDNA Book? (2003)
Quiz question: Return all green and blank records? (2001)
Validation (2000)
passing the variable (1999)
Multiple cart additions (1997)
Two submit buttons ? (1997)
show all problem (1997)
Webcat causing crashes left and right! (1997)
Running _every_ page through WebCat-error.html (1997)
PCS Frames (1997)
Bug Report, maybe (1997)
frames & carts (1997)