Re: Security Question
This WebDNA talk-list message is from 1997
It keeps the original formatting.
numero = 11997
interpreted = N
texte = >BigJim needs to allow LittleEd to $Append a specific database from a>remote location. BigJim does NOT want LittleEd to have full Admin Group>priviledges.Don't use (or allow) $Append in this case. Instead, embed an [Append] tag into a page that is protected by [protect admin,updater]. The [Append] won't happen unless the protection is validated.I think that's what Ken would recommend.There are two ways to append records to a database, one using a URL (form submission) that literally has the $Append command in it. This is the one you often don't want anonymous people to be able to do, because they can homebrew a page that $Appends to any database of yours (don't worry: the Users.db is protected from such attacks).The other way to append records is to embed an [Append] context inside a .tmpl page. You can still use form variables from a user-input form, but in this case you leave off the $Append in the form METHOD, and instead just link to the .tmpl file with no $command of any kind (equivalent to just a $ShowPage). In this case, you put a [protect whatever] onto that page, and if the user doesn't enter the right password, then the [Append] embedded in that page doesn't get 'executed'.HTML forces you to think in weird ways. I know I'll never be the same.Grant Hulbert, V.P. Engineering | ===== Tools for WebWarriors =====Pacific Coast Software | WebCatalog Pro, WebCommerce Solution11770 Bernardo Plaza Court | SiteEdit Pro, SiteCheck, PhotoMasterSan Diego, CA 92128 | SiteGuard619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com
Associated Messages, from the most recent to the oldest:
>BigJim needs to allow LittleEd to $Append a specific database from a>remote location. BigJim does NOT want LittleEd to have full Admin Group>priviledges.Don't use (or allow) $Append in this case. Instead, embed an
[append] tag into a page that is protected by [protect admin,updater]. The
[append] won't happen unless the protection is validated.I think that's what Ken would recommend.There are two ways to append records to a database, one using a URL (form submission) that literally has the $Append command in it. This is the one you often don't want anonymous people to be able to do, because they can homebrew a page that $Appends to any database of yours (don't worry: the Users.db is protected from such attacks).The other way to append records is to embed an
[append] context inside a .tmpl page. You can still use form variables from a user-input form, but in this case you leave off the $Append in the form METHOD, and instead just link to the .tmpl file with no $command of any kind (equivalent to just a $ShowPage). In this case, you put a [protect whatever] onto that page, and if the user doesn't enter the right password, then the
[append] embedded in that page doesn't get 'executed'.HTML forces you to think in weird ways. I know I'll never be the same.Grant Hulbert, V.P. Engineering | ===== Tools for WebWarriors =====Pacific Coast Software | WebCatalog Pro, WebCommerce Solution11770 Bernardo Plaza Court | SiteEdit Pro, SiteCheck, PhotoMasterSan Diego, CA 92128 | SiteGuard619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com
Grant Hulbert
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Errata: WCS Newbie question (1997)
Summary search -- speed (1997)
[math] show=F exists? (1997)
[OT] On a side note.. (2003)
XML and CDATA (2004)
minimalist shopping cart. (1997)
Multiple Passwords (1997)
format_to_days on NT (1997)
WebCat B13 Mac CGI -- Frames question (1997)
[OT] Apple Auto Index (2001)
ssl/empty cart problem (2003)
target=_blank and form variables (1997)
Time Tracking (2003)
Multi-processor Mac info ... (1997)
Arrays (2000)
Re:2nd WebCatalog2 Feature Request (1996)
[cart]'s ever get recycled? (2000)
writing orders to a db (1997)
carriage returns in data (1997)
Changing price for a SLU based on options (size, etc.) (1997)