Re[2]: Problem with new formvariables

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 31256
interpreted = N
texte = >Grant stated quite clearly that the insecure formvariables is a thing of the >past; it certainly seems to me that this is a non-negotiable issue. SM/PCS >wants to make sure that they never see a news item on a WebCat site being >cracked because of a side effect of several versions growth in WebCat. I can >appreciate that; I'm suprised you can't. > >The suggestion to allow certain formvariable to disallow >redefinition through a >$ prefix is fine, except that it is backwards. The default behavior must be >that all formvariables are sacrosanct, except those that are >flagged. Everyone >that used this _undocumented_ feature is probably going to have to edit old >sites to work under the new secure regime.As far as I can remember this behavior were implemented on purpose - so calling it undocumented isn't really true. We had a rather lively discussion on the beta list before it was implemented how it should work, and Grant was very clear at that time, too.I was probably the only one on the list wanting local variables overriding POST and GET, but by now I have coded lots of sites depending on the current behavior - so I for sure don't want WebCat 4.0 to break this way to function.I vote for Jesse's [TEXT secure=T] way to solve the problem. ************************************************************* Christer Olsson Stora Nygatan 21 Phone +46 40 791 50 Ljusa Idéer AB S-211 37 Malmoe Fax +46 40 97 99 77 Sweden http://www.ljusaideer.se############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to Associated Messages, from the most recent to the oldest:

    
  1. Re[2]: Problem with new formvariables (Christer Olsson 2000)
  2. Re: Re[2]: Problem with new formvariables (Nicolas Verhaeghe 2000)
  3. Re: Re[2]: Problem with new formvariables (Grant Hulbert 2000)
  4. Re: Re[2]: Problem with new formvariables (Nicolas Verhaeghe 2000)
  5. Re[2]: Problem with new formvariables (Grant Hulbert 2000)
  6. Re[2]: Problem with new formvariables (Joseph D'Andrea 2000)
  7. Re[2]: Problem with new formvariables (jpeacock@univpress.com 2000)
>Grant stated quite clearly that the insecure formvariables is a thing of the >past; it certainly seems to me that this is a non-negotiable issue. SM/PCS >wants to make sure that they never see a news item on a WebCat site being >cracked because of a side effect of several versions growth in WebCat. I can >appreciate that; I'm suprised you can't. > >The suggestion to allow certain formvariable to disallow >redefinition through a >$ prefix is fine, except that it is backwards. The default behavior must be >that all formvariables are sacrosanct, except those that are >flagged. Everyone >that used this _undocumented_ feature is probably going to have to edit old >sites to work under the new secure regime.As far as I can remember this behavior were implemented on purpose - so calling it undocumented isn't really true. We had a rather lively discussion on the beta list before it was implemented how it should work, and Grant was very clear at that time, too.I was probably the only one on the list wanting local variables overriding POST and GET, but by now I have coded lots of sites depending on the current behavior - so I for sure don't want WebCat 4.0 to break this way to function.I vote for Jesse's [TEXT secure=T] way to solve the problem. ************************************************************* Christer Olsson Stora Nygatan 21 Phone +46 40 791 50 Ljusa Idéer AB S-211 37 Malmoe Fax +46 40 97 99 77 Sweden http://www.ljusaideer.se############################################################# This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to Christer Olsson

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Re:Dumb Question about Docs (1997) Custom Shipping Charges (1997) FirstClass/WebCatalog (1999) Re1000001: Setting up shop (1997) Generating unique SKU from [cart] - Still Stumped... (1997) japanese characters (1997) WebCatalog + WebMerchant 2.1 for Windows released (1998) WC2.0 Memory Requirements (1997) [WebDNA] New Webdna framework ! ... (addresses some initial concerns... (2012) [OT] Search Engine Tips (2003) Word Break (1999) [isfile] ? (1997) The word TYPE in search contexts and fields (1998) Does webcatalog recognise NULL values? (1998) Nested tags count question (1997) OT: Poll Please (2002) [group] ? (1997) Problems getting parameters passed into email. (1997) Newbie Tax Question (1997) [Replace] really replaces? (2000)