Re: math variable security

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33400
interpreted = N
texte = Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  4. Re: math variable security [VERY LONG] (John Peacock 2000)
  5. Re: math variable security (Paul Uttermohlen 2000)
  6. Re: math variable security (Bob Minor 2000)
  7. Re: math variable security (WebDNA Support 2000)
  8. Re: math variable security (Bob Minor 2000)
  9. Re: math variable security (WebDNA Support 2000)
  10. math variable security (Bob Minor 2000)
Actually that means nothing. I would not recommend the use of a shovel as a hammer but a shovel is very useful. If you want to use the following:[text secure=f&multi=t]fname=&lname=[/text] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work. Why would having a feature that is adjustable be a bad thing?I understand that maintaining a logical flow for both variable types maybe difficult, but I see it as a mistake not to.I saw Johns comments on the insecurity of this type of programming, but unless you are opening a hole, there is no hole and therefore this programming technique is valid. You may just need to think about what you are doing before you do it. I certainly won't be denying ipaddresses using this technique.Heck it doesn't make sense to remove capabilities for our own darn good.Sincerely Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: WebDNA Support > Reply-To: (WebCatalog Talk) > Date: Mon, 19 Jun 2000 21:49:03 > To: (WebCatalog Talk) > Subject: Re: math variable security > > It was hard enough to add to text variables. It's difficult to > explain, but doing the same for [math] would be much harder. Not to > mention the fact that we don't recommend this un-secure use of either > text or math variables. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Email within tmpl ? (1997) default value from Lookup (was Grant, please help me) (1997) Comments in db? (1997) taxrate (1999) Nested tags count question (1997) &fieldsdir=ra truely random?? (2000) Date stamp and purging (1998) Searching multiple Databases (1997) PCS Emailer's role ? (1997) Shell w/ Sandboxes (2004) cannot delete last admin (1999) Multiple Ad databases? (1997) Price recalc based on quantity (1997) Smart caching problems with 2.1b3? (1997) problems with 2 tags (1997) WebSTAR and WebSTAR/SSL with WebCatalog plugins (1998) Bit off subject -- Faxing orders (1997) suffix mapping for NT? (1997) Can't Search field (1998) Searching the same field with 2 form variables. (2000)