Re: Security Question

This WebDNA talk-list message is from

1997

It keeps the original formatting. numero = 11997
interpreted = N
texte = >BigJim needs to allow LittleEd to $Append a specific database from a>remote location. BigJim does NOT want LittleEd to have full Admin Group>priviledges.Don't use (or allow) $Append in this case. Instead, embed an [Append] tag into a page that is protected by [protect admin,updater]. The [Append] won't happen unless the protection is validated.I think that's what Ken would recommend.There are two ways to append records to a database, one using a URL (form submission) that literally has the $Append command in it. This is the one you often don't want anonymous people to be able to do, because they can homebrew a page that $Appends to any database of yours (don't worry: the Users.db is protected from such attacks).The other way to append records is to embed an [Append] context inside a .tmpl page. You can still use form variables from a user-input form, but in this case you leave off the $Append in the form METHOD, and instead just link to the .tmpl file with no $command of any kind (equivalent to just a $ShowPage). In this case, you put a [protect whatever] onto that page, and if the user doesn't enter the right password, then the [Append] embedded in that page doesn't get 'executed'.HTML forces you to think in weird ways. I know I'll never be the same.Grant Hulbert, V.P. Engineering | ===== Tools for WebWarriors =====Pacific Coast Software | WebCatalog Pro, WebCommerce Solution11770 Bernardo Plaza Court | SiteEdit Pro, SiteCheck, PhotoMasterSan Diego, CA 92128 | SiteGuard619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com Associated Messages, from the most recent to the oldest:

Re: Security Question (Kenneth Grome 1997)
Re: Security Question (Grant Hulbert 1997)
Security Question (Craig Thurmond 1997)

>BigJim needs to allow LittleEd to $Append a specific database from a>remote location. BigJim does NOT want LittleEd to have full Admin Group>priviledges.Don't use (or allow) $Append in this case. Instead, embed an [append] tag into a page that is protected by [protect admin,updater]. The [append] won't happen unless the protection is validated.I think that's what Ken would recommend.There are two ways to append records to a database, one using a URL (form submission) that literally has the $Append command in it. This is the one you often don't want anonymous people to be able to do, because they can homebrew a page that $Appends to any database of yours (don't worry: the Users.db is protected from such attacks).The other way to append records is to embed an [append] context inside a .tmpl page. You can still use form variables from a user-input form, but in this case you leave off the $Append in the form METHOD, and instead just link to the .tmpl file with no $command of any kind (equivalent to just a $ShowPage). In this case, you put a [protect whatever] onto that page, and if the user doesn't enter the right password, then the [append] embedded in that page doesn't get 'executed'.HTML forces you to think in weird ways. I know I'll never be the same.Grant Hulbert, V.P. Engineering | ===== Tools for WebWarriors =====Pacific Coast Software | WebCatalog Pro, WebCommerce Solution11770 Bernardo Plaza Court | SiteEdit Pro, SiteCheck, PhotoMasterSan Diego, CA 92128 | SiteGuard619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com Grant Hulbert

DOWNLOAD WEBDNA NOW!

Re: Security Question

1997

Top Articles:

Related Readings: