Re: math variable security

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33400
interpreted = N
texte = Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  4. Re: math variable security [VERY LONG] (John Peacock 2000)
  5. Re: math variable security (Paul Uttermohlen 2000)
  6. Re: math variable security (Bob Minor 2000)
  7. Re: math variable security (WebDNA Support 2000)
  8. Re: math variable security (Bob Minor 2000)
  9. Re: math variable security (WebDNA Support 2000)
  10. math variable security (Bob Minor 2000)
Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Bug Report, maybe (1997) Template Encrypt Speed (1998) A question on sub-categories (1997) Help! WebCat2 bug (1997) Item options w/ price adjustment (1997) weird user / authenticate happenings (2003) Max Record length restated as maybe bug (1997) [OT] Form POSTing with LONG variable (2007) RAW=T..Strange behaviour (2000) WebDNA-Talk Digest mode broken (1997) WebCat2b13 Mac plugin - [sendmail] and checkboxes (1997) Displaying backgrounds (1999) Longer .extensions with Windows? (1998) [WebDNA] GREP Question (2009) WebCat2b13MacPlugIn - [showif][search][/showif] (1997) [BULK] [WebDNA] Multiple e-mail sending (2011) emailer (1997) TCPConnect / Current Temperature (2004) OT: Poll Please (2002) [shell] (2003)