Re: A question about security

This WebDNA talk-list message is from

1998


It keeps the original formatting.
numero = 16561
interpreted = N
texte = >I am just about to buy Wcat 2.1 Mac but now I am not shure if I understand the WCat manual correctly. > >In the Wcat preferences, you can specify all commands that you want to be used by anonymous visitors by (Allow Commands). >If I want to use an online store like Tea Room, I have to allow commands like replace, add, search, delete and so on. > >But now, ANY user can edit ANY record in ANY database used by Wcat on my server, if he is smart enough to understand the command syntax.Yes, that's right!>Even if he has to find a fitting template to SEE contents, he can do enough to get me in serious trouble. > >Because I want to host an online store on my server, and also some confidential databases which I want to use for online-games (I am using contexts there for security reasons), I guess I am in a bit of trouble now. > >Or am I missing something?Yes, you're missing a lot ... :) But don't worry, there's a lot to WebCatalog, so here's some hints for new users ...The Tea Room is an OLD sample site, created quite some time ago, before the more secure [context] methods were available in WebCatalog.URL-based commands still work, of course, and sometimes they are easier to use, but if you're not careful, using them can make your site inherently UNsecure ... since anyone with the knowledge of how to write a command into an URL can delete your entire database, for example, if you allow the delete command.On the other hand, contexts, when used exclusively *instead* of URL-based commands, will eliminate your concerns about security forever. With contexts, you can disllow ALL commands. This makes your site totally secure against WebCat hackers, since contexts only exist within the files on the server itself ... and you're the only one who has access to those files, right? :)Sincerely, Ken Grome 808-737-6499 WebDNA Solutions mailto:ken@webdna.net http://www.webdna.net Associated Messages, from the most recent to the oldest:

    
  1. Re: A question about security (Kenneth Grome 1998)
  2. Re: A question about security (Grant Hulbert 1998)
  3. A question about security (Matthias Precht 1998)
>I am just about to buy Wcat 2.1 Mac but now I am not shure if I understand the WCat manual correctly. > >In the Wcat preferences, you can specify all commands that you want to be used by anonymous visitors by (Allow Commands). >If I want to use an online store like Tea Room, I have to allow commands like replace, add, search, delete and so on. > >But now, ANY user can edit ANY record in ANY database used by Wcat on my server, if he is smart enough to understand the command syntax.Yes, that's right!>Even if he has to find a fitting template to SEE contents, he can do enough to get me in serious trouble. > >Because I want to host an online store on my server, and also some confidential databases which I want to use for online-games (I am using contexts there for security reasons), I guess I am in a bit of trouble now. > >Or am I missing something?Yes, you're missing a lot ... :) But don't worry, there's a lot to WebCatalog, so here's some hints for new users ...The Tea Room is an OLD sample site, created quite some time ago, before the more secure [context] methods were available in WebCatalog.URL-based commands still work, of course, and sometimes they are easier to use, but if you're not careful, using them can make your site inherently UNsecure ... since anyone with the knowledge of how to write a command into an URL can delete your entire database, for example, if you allow the delete command.On the other hand, contexts, when used exclusively *instead* of URL-based commands, will eliminate your concerns about security forever. With contexts, you can disllow ALL commands. This makes your site totally secure against WebCat hackers, since contexts only exist within the files on the server itself ... and you're the only one who has access to those files, right? :)Sincerely, Ken Grome 808-737-6499 WebDNA Solutions mailto:ken@webdna.net http://www.webdna.net Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Signal Raised Error (1997) WebMerchant? (1998) Beta (?) version of WebCatalog 2.1 (1998) Payment calculator ?? (2000) MailScanner (2004) Help! Strange happenings... (1997) WebCat2b15MacPlugIn - [authenticate] not [protect] (1997) webcat- multiple selection in input field (1997) BGcolor (1997) WebCat2b12 Mac.acgi--[searchstring] bug (1997) [Announce] Newest Commerce Site based on WebCatalog (1997) Banner DNA (1997) FileMaker and WebCat (1999) WebCatalog for Postcards ? (1997) Bug alert! (1997) Further on formula.db failure to calculate shipCost (1997) WebDNA Threaded Discussions? (2004) Help! WebCat2 bug (1997) WebCatalog and WebMerchant reviewed by InfoWorld (1997) b12 cannot limit records returned and more. (1997)