Re: [WebDNA] preventing hackers from posting their own (altered)

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102024
interpreted = N
texte = Govinda wrote: > Thanks Gary, > > well I had just assumed that [REFERRER] would not get set to the actual > referring URL when reaching the template with that tag in it because of > this line from the docs: > "...Note: this will not work if the previous page was a FORM > METHOD="POST". " > But after seeing your post here I tried it and it seems to work fine, > even with method=post. (why do the docs say that?) > Assuming [referrer] is reliable in this situation, then I can just check > against the evaluated tag's value itself.. (and not against an incoming > hidden input). > If I used a hidden input the way you suggest then what stops a user from > creating a version of the form with a hidden input whose value is set to > whatever he wants. (including what I would have stuffed in there with > the [referrer] tag's value?) > > -G I would suggest to encrypt a hidden value with a seed... then decrypt on the receiving end to do a match to a static or admin controlled variable. Referrer is not reliable in all situations because of proxies. Donovan -- Donovan D. Brooke PH: 1 (608) 770-3822 ------------------------------------------------ WebDNA Software Corporation 16192 Coastal Highway Lewes, DE 19958 Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Stuart Tremain 2009)
  2. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  3. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  4. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Toby Cox 2009)
  5. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  6. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  7. Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009)
  8. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Bob Minor 2009)
  9. Re: [WebDNA] preventing hackers from posting their own (altered) (Marc Thompson 2009)
  10. Re: [WebDNA] preventing hackers from posting their own (altered) (Donovan Brooke 2009)
  11. Re: [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
  12. [WebDNA] preventing hackers from posting their own (altered) version of my form? (Govinda 2009)
Govinda wrote: > Thanks Gary, > > well I had just assumed that [referrer] would not get set to the actual > referring URL when reaching the template with that tag in it because of > this line from the docs: > "...Note: this will not work if the previous page was a FORM > METHOD="POST". " > But after seeing your post here I tried it and it seems to work fine, > even with method=post. (why do the docs say that?) > Assuming [referrer] is reliable in this situation, then I can just check > against the evaluated tag's value itself.. (and not against an incoming > hidden input). > If I used a hidden input the way you suggest then what stops a user from > creating a version of the form with a hidden input whose value is set to > whatever he wants. (including what I would have stuffed in there with > the [referrer] tag's value?) > > -G I would suggest to encrypt a hidden value with a seed... then decrypt on the receiving end to do a match to a static or admin controlled variable. Referrer is not reliable in all situations because of proxies. Donovan -- Donovan D. Brooke PH: 1 (608) 770-3822 ------------------------------------------------ WebDNA Software Corporation 16192 Coastal Highway Lewes, DE 19958 Donovan Brooke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Hiding a subsection of text (2002) NetSplat and WebCat2 (1997) autocommit problem (1998) Help w/ Duplicating The General Store 5 times. (1997) searchable list archive (1997) It just Does't add up!!! (1997) WebDNA 6 Error (2004) random within a specified range (2001) URL for Discussion Archive (1997) Re:Can this be done? (1997) requiredfields (2002) Cart -> Date and Time (2004) autosensing lanague selection (1997) JavaScript form question (2001) Summing fields (1997) [OT] Linux Mailservers (2003) WC2b15 File Corruption (1997) Proper file locations (1997) Online reference (1997) WebCommerce: Folder organization ? (1997)