Re: A question about security

This WebDNA talk-list message is from

1998

It keeps the original formatting. numero = 16559
interpreted = N
texte = >In the Wcat preferences, you can specify all commands that you want to be>used by anonymous visitors by (Allow Commands).>If I want to use an online store like Tea Room, I have to allow commands>like replace, add, search, delete and so on.No, the TeaRoom does not require that anybody be given replace/append/delete abilities, because during the normal course of finding and buying a product you never need to execute those commands. Note that the Add command only refers to adding items to a shopping cart, not Appending new records to a database. Only people who are logged on as ADMIN group have the right to perform a URL-based Append/Replace/Delete. We have been very careful to ensure that your data stays secure.>But now, ANY user can edit ANY record in ANY database used by Wcat on my>server, if he is smart enough to understand the command syntax.We have provided an alternate way to add/replace/delete records: using embedded WebDNA tags like [Add] [Replace] [Delete], you can cause databases to be modified. The way these tags are protected is by putting them in a page that has the [Protect] tag at the top, which prevents the rest of the page from being executed if an unauthorized user.---------------[protect admin][delete db=xx.db&eqSKUdata=1234]---------------Anybody in the world can hit this URL, but only people who type in an admin password will cause it to execute the embedded WebDNA.Grant Hulbert, V.P. Engineering | ==== eCommerce for the Rest of Us ====Pacific Coast Software | WebCatalog, WebMerchant,11770 Bernardo Plaza Court | SiteEdit Pro, PhotoMaster,San Diego, CA 92128 | Typhoon619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com/ Associated Messages, from the most recent to the oldest:

Re: A question about security (Kenneth Grome 1998)
Re: A question about security (Grant Hulbert 1998)
A question about security (Matthias Precht 1998)

>In the Wcat preferences, you can specify all commands that you want to be>used by anonymous visitors by (Allow Commands).>If I want to use an online store like Tea Room, I have to allow commands>like replace, add, search, delete and so on.No, the TeaRoom does not require that anybody be given replace/append/delete abilities, because during the normal course of finding and buying a product you never need to execute those commands. Note that the Add command only refers to adding items to a shopping cart, not Appending new records to a database. Only people who are logged on as ADMIN group have the right to perform a URL-based Append/Replace/Delete. We have been very careful to ensure that your data stays secure.>But now, ANY user can edit ANY record in ANY database used by Wcat on my>server, if he is smart enough to understand the command syntax.We have provided an alternate way to add/replace/delete records: using embedded WebDNA tags like [Add] [replace] [delete], you can cause databases to be modified. The way these tags are protected is by putting them in a page that has the [protect] tag at the top, which prevents the rest of the page from being executed if an unauthorized user.---------------[protect admin][delete db=xx.db&eqSKUdata=1234]---------------Anybody in the world can hit this URL, but only people who type in an admin password will cause it to execute the embedded WebDNA.Grant Hulbert, V.P. Engineering | ==== eCommerce for the Rest of Us ====Pacific Coast Software | WebCatalog, WebMerchant,11770 Bernardo Plaza Court | SiteEdit Pro, PhotoMaster,San Diego, CA 92128 | Typhoon619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com/ Grant Hulbert

DOWNLOAD WEBDNA NOW!

Re: A question about security

1998

Top Articles:

Related Readings: