Re: math variable security [MEDIUM LONG]

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 33497
interpreted = N
texte = Sorry I don't have an ego so it cannot seem like you are picking on me. I just like to fix my problems, work logically and build on what I already have.So regardless of wether you see it as lazy or not I don't care, it was a function of webcat in version 3 and it has been stripped out for no real reason, other than your supposed security flaw. Regardless of the fact that I did not use it in critical situations. In fact I claim to be a lazy programmer. If I can find a better, shorter, way to code then I will use it. The code I posted was an example I hacked up to illustrate the point that there was NO security hole in this. Of course we can pick the code over, or look at it as a whole. Is there a security hole? Is there a reason to plug a non-existent(My interpretation) security hole and make previously written code unusable.Here is the code written to compensate for johns corrections and provide a small amount of comment for arguing logic not the specifics of the code.[!]Text Variables set so that other pages can post this information or that cookies can pull this information and override or reset the variables. I could post all of my pages here but it has nothing to do with the concept.[/!] [text secure=f&multi=t]fname=&lname=[/text] [!]math variable chosen because thats the way it was in legacy code. The fact is math and text variables should not function different except for there obvious problem.[/!] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [!]since john couldn't assume that my variable was defined earlier in the page here it is[/showif] [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work.Why would having a feature that is adjustable be a bad thing?>> The problem here is that Bob is trying to use the [error] variable to >> flag which field is missing, but is really only flagging that there is >> _some_ field missing. To redesign this page, I am going to use WebDNA >> 3.x logic, nothing fancy. I am going to walk though how I would design >> this page, rather than just laying it out in a finished form.Except I can say We found 7 errors on your page and a host of other functionality that can exist. My example illustrated the non security issue of this. Problem is your are picking apart the example code rather than answering the questions above.If WebCat 4.0 can accommodate legacy code without leaving a security hole then I think it should. It would provide the best of both worlds. Just because you don't mind making me revisit all of my sites and rewriting the code to your programming style, doesn't mean I don't. (Picking on you just a little bit)Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: John Peacock > Reply-To: (WebCatalog Talk) > Date: Wed, 21 Jun 2000 17:51:49 +0000 > To: (WebCatalog Talk) > Subject: Re: math variable security [VERY LONG] > > I am picking on you (although it may seem that way at > first), but because this is exactly the reason I argued that the > secure=f was unnecessary and in fact a bad addition to WebDNA. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
  2. Re: math variable security [MEDIUM LONG] (John Peacock 2000)
  3. Re: math variable security [MEDIUM LONG] (Bob Minor 2000)
Sorry I don't have an ego so it cannot seem like you are picking on me. I just like to fix my problems, work logically and build on what I already have.So regardless of wether you see it as lazy or not I don't care, it was a function of webcat in version 3 and it has been stripped out for no real reason, other than your supposed security flaw. Regardless of the fact that I did not use it in critical situations. In fact I claim to be a lazy programmer. If I can find a better, shorter, way to code then I will use it. The code I posted was an example I hacked up to illustrate the point that there was NO security hole in this. Of course we can pick the code over, or look at it as a whole. Is there a security hole? Is there a reason to plug a non-existent(My interpretation) security hole and make previously written code unusable.Here is the code written to compensate for johns corrections and provide a small amount of comment for arguing logic not the specifics of the code.[!]Text Variables set so that other pages can post this information or that cookies can pull this information and override or reset the variables. I could post all of my pages here but it has nothing to do with the concept.[/!] [text secure=f&multi=t]fname=&lname=[/text] [!]math variable chosen because thats the way it was in legacy code. The fact is math and text variables should not function different except for there obvious problem.[/!] [math secure=f]error=0[/math]
[showif [error]>1][showif [fname]=]oops this one is blank[/showif][/showif]
[showif [error]>1][showif [lname]=]oops this one is blank[/showif][/showif]
then on my submitted page I do: [!]since john couldn't assume that my variable was defined earlier in the page here it is[/showif] [formvariables] [showif [value]=][math show=f]error=error+1[/math][/showif] [/formvariables] [showif [error]>0] [redirect thispage.tpl?error=[error][formvariables]&[name]=[value][/formvariables]] [showif] [fname] [lname] you done good digging through that form.why is this insecure. Who cares if they override my variables? My shovel works fine. If I decide to make a security program I will be sure to avoid this possible security hole, but on non secure/unimportant areas, why should I protect them like fort knox. This is just one example I have hundreds that work.Why would having a feature that is adjustable be a bad thing?>> The problem here is that Bob is trying to use the [error] variable to >> flag which field is missing, but is really only flagging that there is >> _some_ field missing. To redesign this page, I am going to use WebDNA >> 3.x logic, nothing fancy. I am going to walk though how I would design >> this page, rather than just laying it out in a finished form.Except I can say We found 7 errors on your page and a host of other functionality that can exist. My example illustrated the non security issue of this. Problem is your are picking apart the example code rather than answering the questions above.If WebCat 4.0 can accommodate legacy code without leaving a security hole then I think it should. It would provide the best of both worlds. Just because you don't mind making me revisit all of my sites and rewriting the code to your programming style, doesn't mean I don't. (Picking on you just a little bit)Robert Minor Director of Internet Services ------------------------------------------------------------ Cybermill Communications http://www.cybermill.com http://www.merchantmaker.comProviding Ecommerce and interactive website development and hosting services on Macintosh, Windows NT, Unix, and AS/400.> From: John Peacock > Reply-To: (WebCatalog Talk) > Date: Wed, 21 Jun 2000 17:51:49 +0000 > To: (WebCatalog Talk) > Subject: Re: math variable security [VERY LONG] > > I am picking on you (although it may seem that way at > first), but because this is exactly the reason I argued that the > secure=f was unnecessary and in fact a bad addition to WebDNA. ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://search.smithmicro.com/ Bob Minor

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

oops private message leaked into talk list (1997) Bug? (1997) Message Boards (2003) Sorting by highest number of matches unique to a field (2003) Searching for the end (1998) Switch Case Context (2004) Authenticate (1997) [WebDNA] [hideif]'s not working in [sendmail] (2008) carriage returns in data (1997) final on include (1997) Storebuilder questions (2003) WebCat2: multiple currency support (1997) FEW QUESTIONS (1997) t or f (1997) Roundup function? (1997) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) Showing once on a founditems (1997) [shownext] help (2002) Re2: frames & carts (1997) db security on NT (1997)