Re: A question about security
This WebDNA talk-list message is from 1998
It keeps the original formatting.
numero = 16559
interpreted = N
texte = >In the Wcat preferences, you can specify all commands that you want to be>used by anonymous visitors by (Allow Commands).>If I want to use an online store like Tea Room, I have to allow commands>like replace, add, search, delete and so on.No, the TeaRoom does not require that anybody be given replace/append/delete abilities, because during the normal course of finding and buying a product you never need to execute those commands. Note that the Add command only refers to adding items to a shopping cart, not Appending new records to a database. Only people who are logged on as ADMIN group have the right to perform a URL-based Append/Replace/Delete. We have been very careful to ensure that your data stays secure.>But now, ANY user can edit ANY record in ANY database used by Wcat on my>server, if he is smart enough to understand the command syntax.We have provided an alternate way to add/replace/delete records: using embedded WebDNA tags like [Add] [Replace] [Delete], you can cause databases to be modified. The way these tags are protected is by putting them in a page that has the [Protect] tag at the top, which prevents the rest of the page from being executed if an unauthorized user.---------------[protect admin][delete db=xx.db&eqSKUdata=1234]---------------Anybody in the world can hit this URL, but only people who type in an admin password will cause it to execute the embedded WebDNA.Grant Hulbert, V.P. Engineering | ==== eCommerce for the Rest of Us ====Pacific Coast Software | WebCatalog, WebMerchant,11770 Bernardo Plaza Court | SiteEdit Pro, PhotoMaster,San Diego, CA 92128 | Typhoon619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com/
Associated Messages, from the most recent to the oldest:
>In the Wcat preferences, you can specify all commands that you want to be>used by anonymous visitors by (Allow Commands).>If I want to use an online store like Tea Room, I have to allow commands>like replace, add, search, delete and so on.No, the TeaRoom does not require that anybody be given replace/append/delete abilities, because during the normal course of finding and buying a product you never need to execute those commands. Note that the Add command only refers to adding items to a shopping cart, not Appending new records to a database. Only people who are logged on as ADMIN group have the right to perform a URL-based Append/Replace/Delete. We have been very careful to ensure that your data stays secure.>But now, ANY user can edit ANY record in ANY database used by Wcat on my>server, if he is smart enough to understand the command syntax.We have provided an alternate way to add/replace/delete records: using embedded WebDNA tags like [Add]
[replace] [delete], you can cause databases to be modified. The way these tags are protected is by putting them in a page that has the
[protect] tag at the top, which prevents the rest of the page from being executed if an unauthorized user.---------------[protect admin][delete db=xx.db&eqSKUdata=1234]---------------Anybody in the world can hit this URL, but only people who type in an admin password will cause it to execute the embedded WebDNA.Grant Hulbert, V.P. Engineering | ==== eCommerce for the Rest of Us ====Pacific Coast Software | WebCatalog, WebMerchant,11770 Bernardo Plaza Court | SiteEdit Pro, PhotoMaster,San Diego, CA 92128 | Typhoon619/675-1106 Fax: 619/675-0372 | http://www.smithmicro.com/
Grant Hulbert
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
NetForms for email (1998)
[cart] generation (1998)
Resume Catalog ? (1997)
Tech question about web dna actions (1998)
Emailer (1997)
HTML Mail & Line breaks... (2004)
[WebDNA] Hosting (2015)
WebCat2b15MacPlugin - showing [math] (1997)
why won't this TCPConnect/Send work? (2004)
Card clearance, problems - solutions? (1997)
name-value pairs (2006)
Nested tags count question (1997)
Field name-subcategory (1997)
dbQuickView 2.0 (2005)
M$loth messes with our sites (again) 2004/02/03 (2004)
Question (1997)
Credit card processing - UK (1997)
Cool new site (1996)
code below an [authenticate] gets evaluated? (2000)
New public beta available (1997)