Re: math variable security

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33400
interpreted = N
texte = Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  4. Re: math variable security [VERY LONG] (John Peacock 2000)
  5. Re: math variable security (Paul Uttermohlen 2000)
  6. Re: math variable security (Bob Minor 2000)
  7. Re: math variable security (WebDNA Support 2000)
  8. Re: math variable security (Bob Minor 2000)
  9. Re: math variable security (WebDNA Support 2000)
  10. math variable security (Bob Minor 2000)
Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[WebDNA] export db data for importing into Microsoft Outlook calendar? (2011) Pipes instead of tabs (1998) Removing [showif] makes a big difference in speed (1997) method of payment (1997) WCS Newbie question (1997) CGI and SSI (2002) WebCat2b12 forgets serial # (1997) [PROTECT] Problem (2003) Expected behavior? (1998) Shipcost lookup? (1997) [OT] SQL and Crackers (2000) The evolved Server Configuration Queston (2000) Pieces Show Up! Curse You! (2000) [WriteFile] problems (1997) [WebDNA] Create a cryptographic Mac key... (2016) Bug Report, maybe (1997) frames & carts (1997) Problem with pull down menu (1998) WebCat2b13MacPlugIn - [showif][search][/showif] (1997) WebMerchant 1.6 and SHTML (1997)