Re: A question about security

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 16561
interpreted = N
texte = >I am just about to buy Wcat 2.1 Mac but now I am not shure if I understand the WCat manual correctly. > >In the Wcat preferences, you can specify all commands that you want to be used by anonymous visitors by (Allow Commands). >If I want to use an online store like Tea Room, I have to allow commands like replace, add, search, delete and so on. > >But now, ANY user can edit ANY record in ANY database used by Wcat on my server, if he is smart enough to understand the command syntax.Yes, that's right!>Even if he has to find a fitting template to SEE contents, he can do enough to get me in serious trouble. > >Because I want to host an online store on my server, and also some confidential databases which I want to use for online-games (I am using contexts there for security reasons), I guess I am in a bit of trouble now. > >Or am I missing something?Yes, you're missing a lot ... :) But don't worry, there's a lot to WebCatalog, so here's some hints for new users ...The Tea Room is an OLD sample site, created quite some time ago, before the more secure [context] methods were available in WebCatalog.URL-based commands still work, of course, and sometimes they are easier to use, but if you're not careful, using them can make your site inherently UNsecure ... since anyone with the knowledge of how to write a command into an URL can delete your entire database, for example, if you allow the delete command.On the other hand, contexts, when used exclusively *instead* of URL-based commands, will eliminate your concerns about security forever. With contexts, you can disllow ALL commands. This makes your site totally secure against WebCat hackers, since contexts only exist within the files on the server itself ... and you're the only one who has access to those files, right? :)Sincerely, Ken Grome 808-737-6499 WebDNA Solutions mailto:ken@webdna.net http://www.webdna.net Associated Messages, from the most recent to the oldest:

    
  1. Re: A question about security (Kenneth Grome 1998)
  2. Re: A question about security (Grant Hulbert 1998)
  3. A question about security (Matthias Precht 1998)
>I am just about to buy Wcat 2.1 Mac but now I am not shure if I understand the WCat manual correctly. > >In the Wcat preferences, you can specify all commands that you want to be used by anonymous visitors by (Allow Commands). >If I want to use an online store like Tea Room, I have to allow commands like replace, add, search, delete and so on. > >But now, ANY user can edit ANY record in ANY database used by Wcat on my server, if he is smart enough to understand the command syntax.Yes, that's right!>Even if he has to find a fitting template to SEE contents, he can do enough to get me in serious trouble. > >Because I want to host an online store on my server, and also some confidential databases which I want to use for online-games (I am using contexts there for security reasons), I guess I am in a bit of trouble now. > >Or am I missing something?Yes, you're missing a lot ... :) But don't worry, there's a lot to WebCatalog, so here's some hints for new users ...The Tea Room is an OLD sample site, created quite some time ago, before the more secure [context] methods were available in WebCatalog.URL-based commands still work, of course, and sometimes they are easier to use, but if you're not careful, using them can make your site inherently UNsecure ... since anyone with the knowledge of how to write a command into an URL can delete your entire database, for example, if you allow the delete command.On the other hand, contexts, when used exclusively *instead* of URL-based commands, will eliminate your concerns about security forever. With contexts, you can disllow ALL commands. This makes your site totally secure against WebCat hackers, since contexts only exist within the files on the server itself ... and you're the only one who has access to those files, right? :)Sincerely, Ken Grome 808-737-6499 WebDNA Solutions mailto:ken@webdna.net http://www.webdna.net Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

ShoppingCart clearing code (2004) Need help with emailer- 2 issues (1997) Sort Order on a page search (1997) WCS Newbie question (1997) [WebDNA] Sending Email Problem (2008) How do you hide [math]stuff[/math] (1997) No shipping systems available? (1998) Sense/Disallow HTML tags during $Append (1997) Database Options (1997) Emailer help....! (1997) Execute Applescript (1997) [OT] MS IE from H3LL (2008) Include a big block of text (1997) Excluding orders from WebMerchant processing (1998) WebDNA FAQ or FAQs -- was "weird problem" (2004) syntax question, not in online refernce (1997) db Translation (2002) Emailer problem (2000) setting taxable to true (1997) Re:PCS Customer submissions ? (1997)