Re: [WebDNA] preventing hackers from posting their own (altered) version of my form?

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102023
interpreted = N
texte = --Apple-Mail-12--987509874 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Thanks Gary, well I had just assumed that [REFERRER] would not get set to the actual referring URL when reaching the template with that tag in it because of this line from the docs: "...Note: this will not work if the previous page was a FORM METHOD="POST". " But after seeing your post here I tried it and it seems to work fine, even with method=post. (why do the docs say that?) Assuming [referrer] is reliable in this situation, then I can just check against the evaluated tag's value itself.. (and not against an incoming hidden input). If I used a hidden input the way you suggest then what stops a user from creating a version of the form with a hidden input whose value is set to whatever he wants. (including what I would have stuffed in there with the [referrer] tag's value?) -G On Feb 18, 2009, at 9:20 PM, Gary Krockover wrote: > Unless I'm misunderstanding the issue here: > Put a hidden input tag that is called something like "Came_From". > Make that value [REFERRER]. On your landing page, put in a > [FORMVARIABLES] and check to see if the value for "Came_From" > contains your domain name. > > GJK > > At 08:17 PM 2/18/2009, you wrote: >> HI all >> >> if I want to prevent hackers from posting a home-brewed (local to >> them) form to one of my own live pages (that i normally reach via my >> own posted form), then how can I do this with webdna? If we reached >> the page normally via a link I could use [referrer], but since this >> is >> method=post, how to do it? >> >> -Govinda --Apple-Mail-12--987509874 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Thanks = Gary,

well I had just assumed that [REFERRER] would = not get set to the actual referring URL when reaching the template with = that tag in it because of this line from the docs:
"...Note: = this will not work if the previous page was a FORM METHOD=3D"POST". = "
But after seeing your post here I tried it and it seems to = work fine, even with method=3Dpost.  (why do the docs say = that?)
Assuming [referrer] is reliable in this situation, then = I can just check against the evaluated tag's value itself..  (and = not against an incoming hidden input).  
If I used a = hidden input the way you suggest then what stops a user from creating a = version of the form with a hidden input whose value is set to whatever = he wants.  (including what I would have stuffed in there with the = [referrer] tag's = value?)

-G

On Feb 18, = 2009, at 9:20 PM, Gary Krockover wrote:

= Unless I'm misunderstanding the issue here:
Put a = hidden input tag that is called something like "Came_From".  Make = that value [REFERRER].  On your landing page, put in a = [FORMVARIABLES] and check to see if the value for "Came_From" contains = your domain name. 

GJK

At 08:17 PM 2/18/2009, you = wrote:
HI all

if I want to prevent hackers from posting a = home-brewed (local to 
them) form to one of my own live pages = (that i normally reach via my 
own posted form), then how can = I do this with webdna?  If we reached 
the page normally = via a link I could use [referrer], but since this is 
= method=3Dpost, how to do it?

-Govinda
=

= --Apple-Mail-12--987509874-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
--Apple-Mail-12--987509874 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Thanks Gary, well I had just assumed that [referrer] would not get set to the actual referring URL when reaching the template with that tag in it because of this line from the docs: "...Note: this will not work if the previous page was a FORM METHOD="POST". " But after seeing your post here I tried it and it seems to work fine, even with method=post. (why do the docs say that?) Assuming [referrer] is reliable in this situation, then I can just check against the evaluated tag's value itself.. (and not against an incoming hidden input). If I used a hidden input the way you suggest then what stops a user from creating a version of the form with a hidden input whose value is set to whatever he wants. (including what I would have stuffed in there with the [referrer] tag's value?) -G On Feb 18, 2009, at 9:20 PM, Gary Krockover wrote: > Unless I'm misunderstanding the issue here: > Put a hidden input tag that is called something like "Came_From". > Make that value [referrer]. On your landing page, put in a > [formvariables] and check to see if the value for "Came_From" > contains your domain name. > > GJK > > At 08:17 PM 2/18/2009, you wrote: >> HI all >> >> if I want to prevent hackers from posting a home-brewed (local to >> them) form to one of my own live pages (that i normally reach via my >> own posted form), then how can I do this with webdna? If we reached >> the page normally via a link I could use [referrer], but since this >> is >> method=post, how to do it? >> >> -Govinda --Apple-Mail-12--987509874 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Thanks = Gary,

well I had just assumed that [referrer] would = not get set to the actual referring URL when reaching the template with = that tag in it because of this line from the docs:
"...Note: = this will not work if the previous page was a FORM METHOD=3D"POST". = "
But after seeing your post here I tried it and it seems to = work fine, even with method=3Dpost.  (why do the docs say = that?)
Assuming [referrer] is reliable in this situation, then = I can just check against the evaluated tag's value itself..  (and = not against an incoming hidden input).  
If I used a = hidden input the way you suggest then what stops a user from creating a = version of the form with a hidden input whose value is set to whatever = he wants.  (including what I would have stuffed in there with the = [referrer] tag's = value?)

-G

On Feb 18, = 2009, at 9:20 PM, Gary Krockover wrote:

= Unless I'm misunderstanding the issue here:
Put a = hidden input tag that is called something like "Came_From".  Make = that value [referrer].  On your landing page, put in a = [formvariables] and check to see if the value for "Came_From" contains = your domain name. 

GJK

At 08:17 PM 2/18/2009, you = wrote:
HI all

if I want to prevent hackers from posting a = home-brewed (local to 
them) form to one of my own live pages = (that i normally reach via my 
own posted form), then how can = I do this with webdna?  If we reached 
the page normally = via a link I could use [referrer], but since this is 
= method=3Dpost, how to do it?

-Govinda
=

= --Apple-Mail-12--987509874-- Govinda

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Adding up line items. (2000) Smart caching problems with 2.1b3? (1997) multiple search commands (1997) Re WebDNA has reached it connection limit (2004) [WebDNA] Escaping content for JSON (2013) Problems with store (1998) [WebDNA] TCPConnect assist (2016) WebCommerce: Folder organization ? (1997) select multiple 2 more cents (1997) Forms (1998) Db crash in win98 (2000) show all problem (1997) unable to launch acgi in WebCat (1997) Add a field to the error log? (1997) Re:no [search] with NT (1997) 6.0 Upgrade Issue (2005) WebCat2: Found Items syntax, etc. (1997) Creating a back button (1999) Copyright that puppy (1998) two unique banners on one page (1997)