Re: [WebDNA] preventing hackers from posting their own (altered)
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 102024
interpreted = N
texte = Govinda wrote:> Thanks Gary,> > well I had just assumed that [REFERRER] would not get set to the actual > referring URL when reaching the template with that tag in it because of > this line from the docs:> "...Note: this will not work if the previous page was a FORM > METHOD="POST". "> But after seeing your post here I tried it and it seems to work fine, > even with method=post. (why do the docs say that?)> Assuming [referrer] is reliable in this situation, then I can just check > against the evaluated tag's value itself.. (and not against an incoming > hidden input). > If I used a hidden input the way you suggest then what stops a user from > creating a version of the form with a hidden input whose value is set to > whatever he wants. (including what I would have stuffed in there with > the [referrer] tag's value?)> > -GI would suggest to encrypt a hidden value with a seed... then decrypt on the receiving end to do a match to a static or admin controlled variable. Referrer is not reliable in all situations because of proxies.Donovan-- Donovan D. Brooke PH: 1 (608) 770-3822------------------------------------------------WebDNA Software Corporation16192 Coastal HighwayLewes, DE 19958
Associated Messages, from the most recent to the oldest:
Govinda wrote:> Thanks Gary,> > well I had just assumed that
[referrer] would not get set to the actual > referring URL when reaching the template with that tag in it because of > this line from the docs:> "...Note: this will not work if the previous page was a FORM > METHOD="POST". "> But after seeing your post here I tried it and it seems to work fine, > even with method=post. (why do the docs say that?)> Assuming
[referrer] is reliable in this situation, then I can just check > against the evaluated tag's value itself.. (and not against an incoming > hidden input). > If I used a hidden input the way you suggest then what stops a user from > creating a version of the form with a hidden input whose value is set to > whatever he wants. (including what I would have stuffed in there with > the
[referrer] tag's value?)> > -GI would suggest to encrypt a hidden value with a seed... then decrypt on the receiving end to do a match to a static or admin controlled variable. Referrer is not reliable in all situations because of proxies.Donovan-- Donovan D. Brooke PH: 1 (608) 770-3822------------------------------------------------WebDNA Software Corporation16192 Coastal HighwayLewes, DE 19958
Donovan Brooke
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Hiding a subsection of text (2002)
NetSplat and WebCat2 (1997)
autocommit problem (1998)
Help w/ Duplicating The General Store 5 times. (1997)
searchable list archive (1997)
It just Does't add up!!! (1997)
WebDNA 6 Error (2004)
random within a specified range (2001)
URL for Discussion Archive (1997)
Re:Can this be done? (1997)
requiredfields (2002)
Cart -> Date and Time (2004)
autosensing lanague selection (1997)
JavaScript form question (2001)
Summing fields (1997)
[OT] Linux Mailservers (2003)
WC2b15 File Corruption (1997)
Proper file locations (1997)
Online reference (1997)
WebCommerce: Folder organization ? (1997)