Re: [WebDNA] Search on a database
This WebDNA talk-list message is from 2012
It keeps the original formatting.
numero = 108775
interpreted = N
texte = > The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "
..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [URL][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [URL][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda=
Associated Messages, from the most recent to the oldest:
> The code change below worked, and when I opened the admin page =http://www.hydrozone-pro.com/xxxxxxx/zzzzzzzz.tpl to view the database =entries, I got an alert box with the following message:> "You don't want users adding (non-whitelisted) HTML to data that =appears on a page. My example is harmless, but might have been =malicious. Google 'XSS'.>=20> This brings up 2 more questions:> 1. I'm assuming that since you were able to program an alert box to =open, a malicious programmer could> cause harmyes ^^^ .> to my local machineI think so, but don't assume anything from just my input; I don't =specialize in security.> when I open the page. Could damage also be done to the server on which =this page resides?not that I am aware of, but again, I don't specialize in security.You may be asking, what exactly IS the potential "harm"?The javascript could have: not caused an alert message, but instead =loaded some malicious code from a(nother) malicious site. Hackers are =forever trying to get you (your browser, even if under the hood, via =some javascript) to go to their webpages. If you do "go there" in your =browser (or some underlying javascript does), then bad things can =happen. I have not made the effort to learn what all they can do. I =used to think that one was not susceptible to having malware loaded on =their computer just from visiting a mean webpage, but now I do not =assume that. I just protect myself. *At the minimum* (and don't assume =I have brought to light everything you want to do to be "protected"), =but *at the minimum*, you:> 2. I have already wrapped the variables coming from the survey in =[url][/url] tags. Do I wrap the variables like this?:>=20> [removehtml][url]...[/url][/removehtml].=20yes ^^^ .You can strip the html tags (including the "..." =which I used to make my point), with [removehtml]...[/removehtml], =either: as you are saving their input data *into* the db, or as you =bring it back *out* of the db to display on your secret admin page, for =viewing.BTW, secret admin pages are not so secret when their addresses are =posted on public lists.. but especially not when there is no ="authentication" code protecting it.Suggestion: how about sticking the following code at the top of your =admin page(s):(use an [include...], and then you only have to maintain this code in =ONE place, but can use it at the top of the page every time you create =another admin page):(change the username and password to something secret only you know. =20If you want to get even more serious .. then later you could write code =to keep track of how many times someone tries to guess the user/pass... =and lock them out from even being allowed to try, in case they guess =more than, e.g., 3 times an hour.)=--------------------------------------------------------------------------=------[!]---quickie realm method protection---[/!][showif [url][username][/URL]!yourSecretUserName][AUTHENTICATE Hi govinda!][/showif][showif [url][password][/URL]!yourSecretPassword][AUTHENTICATE Hi govinda!][/showif]=--------------------------------------------------------------------------=------I don't mean to discourage you by all this extra work... ;-)-Govinda=
Govinda
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
SQL db type (2006)
Some Advise needed (1997)
can you take a look (2003)
Multiple 'Users.db' files not possible (1997)
Adding up line items. (2000)
[WebDNA] webdna email breaking (2011)
[WebDNA] directory protection questions (2008)
WebCatalog2 Feature Feedback (1996)
Mac: LModelDirector bug fix (1997)
why do I get authorization requests, even though (1999)
Session Number (1998)
Showing once on a founditems (1997)
WebCat2 Append problem (B14Macacgi) (1997)
[OT] CSS and SSI books (2004)
emailer setup (1997)
[WebDNA] Ajax, JS and WebDNA - A joint toturial ;-) (2010)
Problem (1997)
WebCat2 - Getting to the browser's username/password data (1997)
WC2b15 File Corruption (1997)
multi-paragraph fields (1997)