Re: [WebDNA] preventing hackers from posting their own (altered) version of my form?
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 102023
interpreted = N
texte = --Apple-Mail-12--987509874Content-Type: text/plain;charset=US-ASCII;format=flowed;delsp=yesContent-Transfer-Encoding: 7bitThanks Gary,well I had just assumed that [REFERRER] would not get set to the actual referring URL when reaching the template with that tag in it because of this line from the docs:"...Note: this will not work if the previous page was a FORM METHOD="POST". "But after seeing your post here I tried it and it seems to work fine, even with method=post. (why do the docs say that?)Assuming [referrer] is reliable in this situation, then I can just check against the evaluated tag's value itself.. (and not against an incoming hidden input).If I used a hidden input the way you suggest then what stops a user from creating a version of the form with a hidden input whose value is set to whatever he wants. (including what I would have stuffed in there with the [referrer] tag's value?)-GOn Feb 18, 2009, at 9:20 PM, Gary Krockover wrote:> Unless I'm misunderstanding the issue here:> Put a hidden input tag that is called something like "Came_From". > Make that value [REFERRER]. On your landing page, put in a > [FORMVARIABLES] and check to see if the value for "Came_From" > contains your domain name.>> GJK>> At 08:17 PM 2/18/2009, you wrote:>> HI all>>>> if I want to prevent hackers from posting a home-brewed (local to>> them) form to one of my own live pages (that i normally reach via my>> own posted form), then how can I do this with webdna? If we reached>> the page normally via a link I could use [referrer], but since this >> is>> method=post, how to do it?>>>> -Govinda--Apple-Mail-12--987509874Content-Type: text/html;charset=US-ASCIIContent-Transfer-Encoding: quoted-printableThanks =Gary,
well I had just assumed that [REFERRER] would =not get set to the actual referring URL when reaching the template with =that tag in it because of this line from the docs:
"...Note: =this will not work if the previous page was a FORM METHOD=3D"POST". ="
But after seeing your post here I tried it and it seems to =work fine, even with method=3Dpost. (why do the docs say =that?)
Assuming [referrer] is reliable in this situation, then =I can just check against the evaluated tag's value itself.. (and =not against an incoming hidden input).
If I used a =hidden input the way you suggest then what stops a user from creating a =version of the form with a hidden input whose value is set to whatever =he wants. (including what I would have stuffed in there with the =[referrer] tag's =value?)
-G
On Feb 18, =2009, at 9:20 PM, Gary Krockover wrote:
=
Unless I'm misunderstanding the issue here:
Put a =hidden input tag that is called something like "Came_From". Make =that value [REFERRER]. On your landing page, put in a =[FORMVARIABLES] and check to see if the value for "Came_From" contains =your domain name.
GJK
At 08:17 PM 2/18/2009, you =wrote:
HI all
if I want to prevent hackers from posting a =home-brewed (local to
them) form to one of my own live pages =(that i normally reach via my
own posted form), then how can =I do this with webdna? If we reached
the page normally =via a link I could use [referrer], but since this is
=method=3Dpost, how to do it?
-Govinda
=
=--Apple-Mail-12--987509874--
Associated Messages, from the most recent to the oldest:
--Apple-Mail-12--987509874Content-Type: text/plain;charset=US-ASCII;format=flowed;delsp=yesContent-Transfer-Encoding: 7bitThanks Gary,well I had just assumed that
[referrer] would not get set to the actual referring URL when reaching the template with that tag in it because of this line from the docs:"...Note: this will not work if the previous page was a FORM METHOD="POST". "But after seeing your post here I tried it and it seems to work fine, even with method=post. (why do the docs say that?)Assuming
[referrer] is reliable in this situation, then I can just check against the evaluated tag's value itself.. (and not against an incoming hidden input).If I used a hidden input the way you suggest then what stops a user from creating a version of the form with a hidden input whose value is set to whatever he wants. (including what I would have stuffed in there with the
[referrer] tag's value?)-GOn Feb 18, 2009, at 9:20 PM, Gary Krockover wrote:> Unless I'm misunderstanding the issue here:> Put a hidden input tag that is called something like "Came_From". > Make that value
[referrer]. On your landing page, put in a >
[formvariables] and check to see if the value for "Came_From" > contains your domain name.>> GJK>> At 08:17 PM 2/18/2009, you wrote:>> HI all>>>> if I want to prevent hackers from posting a home-brewed (local to>> them) form to one of my own live pages (that i normally reach via my>> own posted form), then how can I do this with webdna? If we reached>> the page normally via a link I could use
[referrer], but since this >> is>> method=post, how to do it?>>>> -Govinda--Apple-Mail-12--987509874Content-Type: text/html;charset=US-ASCIIContent-Transfer-Encoding: quoted-printableThanks =Gary,
well I had just assumed that
[referrer] would =not get set to the actual referring URL when reaching the template with =that tag in it because of this line from the docs:
"...Note: =this will not work if the previous page was a FORM METHOD=3D"POST". ="
But after seeing your post here I tried it and it seems to =work fine, even with method=3Dpost. (why do the docs say =that?)
Assuming
[referrer] is reliable in this situation, then =I can just check against the evaluated tag's value itself.. (and =not against an incoming hidden input).
If I used a =hidden input the way you suggest then what stops a user from creating a =version of the form with a hidden input whose value is set to whatever =he wants. (including what I would have stuffed in there with the =
[referrer] tag's =value?)
-G
On Feb 18, =2009, at 9:20 PM, Gary Krockover wrote:
=
Unless I'm misunderstanding the issue here:
Put a =hidden input tag that is called something like "Came_From". Make =that value [referrer]. On your landing page, put in a =[formvariables] and check to see if the value for "Came_From" contains =your domain name.
GJK
At 08:17 PM 2/18/2009, you =wrote:
HI all
if I want to prevent hackers from posting a =home-brewed (local to
them) form to one of my own live pages =(that i normally reach via my
own posted form), then how can =I do this with webdna? If we reached
the page normally =via a link I could use [referrer], but since this is
=method=3Dpost, how to do it?
-Govinda
=
=--Apple-Mail-12--987509874--
Govinda
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Adding up line items. (2000)
Smart caching problems with 2.1b3? (1997)
multiple search commands (1997)
Re WebDNA has reached it connection limit (2004)
[WebDNA] Escaping content for JSON (2013)
Problems with store (1998)
[WebDNA] TCPConnect assist (2016)
WebCommerce: Folder organization ? (1997)
select multiple 2 more cents (1997)
Forms (1998)
Db crash in win98 (2000)
show all problem (1997)
unable to launch acgi in WebCat (1997)
Add a field to the error log? (1997)
Re:no [search] with NT (1997)
6.0 Upgrade Issue (2005)
WebCat2: Found Items syntax, etc. (1997)
Creating a back button (1999)
Copyright that puppy (1998)
two unique banners on one page (1997)