Re: math variable security

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33400
interpreted = N
texte = Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  4. Re: math variable security [VERY LONG] (John Peacock 2000)
  5. Re: math variable security (Paul Uttermohlen 2000)
  6. Re: math variable security (Bob Minor 2000)
  7. Re: math variable security (WebDNA Support 2000)
  8. Re: math variable security (Bob Minor 2000)
  9. Re: math variable security (WebDNA Support 2000)
  10. math variable security (Bob Minor 2000)
Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[shownext max=?] armed (1997) problems with 2 tags (1997) Using Plug-In while running 1.6.1 (1997) Why is this search finding the right thing?! (2002) all records returned. (1997) Multiple Merchant Accounts? (1997) Sending mail (was forms and variables) (1998) Include a big block of text (1997) SERIAL NUMBER PROBLEM *AGAIN*!!! (1998) Writing custom WebCat searches?? (2000) Re:Adding non-SKUs to cart (1998) Search results templates (1996) [cart] clarification... (1997) [isfile] ? (1997) docs for WebCatalog2 (1997) [WebDNA] incomplete redirect tag (2009) Simple Page (2000) Founditems context returning only 1 item (1997) Can he do that? (1998) [WebDNA] An unknown error occured // Deadlock avoided (2011)