Re: Variable security

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33455
interpreted = N
texte = > The logic is twofold: it is much harder, if not impossible to do the > same with math variables, and secondly the vast majority of legacy > code that mis-used the old variable hierarchy was using text > variables, not math variablesWhose legacy code, yours or mine? Are you saying the old variable hierarchy did not apply to math variables?Why do you continue to say that it is mis-used? Can you please explain how this is a misuse.Quoted from an earlier post: > [text secure=f&multi=t]fname=&lname=[/text] > [math secure=f]error=0[/math] >
> [showif [error]>1][showif > [fname]=]oops this one is blank[/showif][/showif]
> [showif [error]>1][showif > [lname]=]oops this one is blank[/showif][/showif]
> >
> > then on my submitted page I do: > [formvariables] > [showif [value]=][math show=f]error=error+1[/math][/showif] > [/formvariables] > [showif [error]>0] > [redirect > thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] > [showif] > [fname] [lname] you done good digging through that form. > > why is this insecure. Who cares if they override my variables? If I decide to make a security program I will be sure to avoid this > possible security hole, but on non secure/unimportant areas, why should I > protect them like fort knox. This is just one example I have hundreds that > work. Why would having a feature that is adjustable be a bad thing? > I saw Johns comments on the insecurity of this type of programming, but unless > you are opening a hole, there is no hole and therefore this programming > technique is valid. You may just need to think about what you are doing before > you do it. I certainly won't be denying ipaddresses using this technique.Again what is the problem with this, in this instance? What could the user possibly do in this case?Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: Grant Hulbert > Reply-To: > Date: Tue, 20 Jun 2000 13:55:15 > To: > Subject: Re: Variable security > > The logic is twofold: it is much harder, if not impossible to do the > same with math variables, and secondly the vast majority of legacy > code that mis-used the old variable hierarchy was using text > variables, not math variables. ############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  4. Re: math variable security [VERY LONG] (John Peacock 2000)
  5. Re: Variable security (Kenneth Grome 2000)
  6. Re: Variable security (Bob Minor 2000)
  7. Re: Variable security (Grant Hulbert 2000)
  8. Re: Variable security (Bob Minor 2000)
  9. Re: Variable security (Grant Hulbert 2000)
  10. Variable security (Bob Minor 2000)
  11. Variable security (Bob Minor 2000)
  12. Re: math variable security (Paul Uttermohlen 2000)
  13. Re: math variable security (Bob Minor 2000)
  14. Re: math variable security (WebDNA Support 2000)
  15. Re: math variable security (Bob Minor 2000)
  16. Re: math variable security (WebDNA Support 2000)
  17. math variable security (Bob Minor 2000)
> The logic is twofold: it is much harder, if not impossible to do the > same with math variables, and secondly the vast majority of legacy > code that mis-used the old variable hierarchy was using text > variables, not math variablesWhose legacy code, yours or mine? Are you saying the old variable hierarchy did not apply to math variables?Why do you continue to say that it is mis-used? Can you please explain how this is a misuse.Quoted from an earlier post: > [text secure=f&multi=t]fname=&lname=[/text] > [math secure=f]error=0[/math] >
> [showif [error]>1][showif > [fname]=]oops this one is blank[/showif][/showif]
> [showif [error]>1][showif > [lname]=]oops this one is blank[/showif][/showif]
> >
> > then on my submitted page I do: > [formvariables] > [showif [value]=][math show=f]error=error+1[/math][/showif] > [/formvariables] > [showif [error]>0] > [redirect > thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] > [showif] > [fname] [lname] you done good digging through that form. > > why is this insecure. Who cares if they override my variables? If I decide to make a security program I will be sure to avoid this > possible security hole, but on non secure/unimportant areas, why should I > protect them like fort knox. This is just one example I have hundreds that > work. Why would having a feature that is adjustable be a bad thing? > I saw Johns comments on the insecurity of this type of programming, but unless > you are opening a hole, there is no hole and therefore this programming > technique is valid. You may just need to think about what you are doing before > you do it. I certainly won't be denying ipaddresses using this technique.Again what is the problem with this, in this instance? What could the user possibly do in this case?Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: Grant Hulbert > Reply-To: > Date: Tue, 20 Jun 2000 13:55:15 > To: > Subject: Re: Variable security > > The logic is twofold: it is much harder, if not impossible to do the > same with math variables, and secondly the vast majority of legacy > code that mis-used the old variable hierarchy was using text > variables, not math variables. ############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

CERT Advisory on malicious scripts (2000) OLD ORDERS (1998) maximu values for sendmail! (1997) Absolute path (2003) Webcat/Webmerchant (1998) new WebDNA 5 command reference (2003) WebCatalog NT beta 18 now available (1997) WebDNA Solutions ... sorry! (1997) All choice in popups (1997) Snake Bites (1997) template cache problem (1998) date range (1998) [delete] problem (1997) Summing fields (1997) restarting service remotely on NT (1997) Shipcost Based on SubTotal (1998) [WebDNA] Electronic Delivery (download) (2008) Browser Info.txt (1997) pc (1997) Document Contains No Data! (1997)