P2: How to make webcatalog more stable. - LONG
This WebDNA talk-list message is from 1999
It keeps the original formatting.
numero = 24140
interpreted = N
texte = In my previous message, I talked about checking for blank fields, and properly utilizing the [URL] tag to clean data before it is looked at.You have to realize how important it is to wrap user entered fields in URLtags any time you touch them! This prevents WebCatalog from interpreting anymalicious stuff.But, hey, I promised you the fun of bombing your own server! Not one to letyou down on my word, here's some code, from a page I call Ishtar.tpl------------------[showif [doit]=T][setheader cart=[cart]]header1=[field1][/setheader]This input: [field1] did not bomb the server.
[/showif]
-------------------Nothing shown above, by itself, should bomb your server.now when you run this page, try these values in the text input:Your nameAT&TYour Email AddressPCS Rocks!Jack & JillWhich one(s) of the above bombed the server?If your server is like all of the versions of WebCatalog with all of theversions of WebSTAR I've run it on, anything with an ampersand will cause a)the CGI to die and be relaunched (sometimes it stalled I think, but I can'tremember now...), b) the plug-in to cause WebSTAR to give an applicationbomb and die.Why? This took me a while to figure out. I'm going to just show you twoexamples below, see if you can step through them before I explain it...[setheader cart=[cart]]name=[name]&header1=[company]&address1=[address]...[setheader cart=123456]name=Bob S.&header1=AT&T&address1=123 West main...if you look above, WebCatalog isn't smart enough to realize that at&t is afield value, and tries to set header1=AT and set a header named T ...well...to nothing. I could speculate that WebCatalog itself doesn't have enougherror trapping going on, and simply overflows it's array looking for thismysterious field T, but only Grant knows the truth on this...I'm really curious for feedback from all of you on how this works ondifferent platforms.The workaround is to wrap each and every field you set in the headers in aURL, kind of like this:[setheader cart=[cart]]name=[url][name][/url]&header1=[url][company][/url]&address1=[url][address][/url]...As for using commands to set headers (showcart, purchase) we at MMT haveentirely given up on them (thus losing a significant portion of WebCatalog'se-commerce abilities), because they neither allow for error checking thedata before it is set, nor do they properly encode the data set in theheaders. (our experience, YMMV)This problem also plagues the database activities of appending and replacingdata in your databases (without the bombing.) YOU MUST WRAP ANY USER ENTEREDFIELDS IN [URL] TAGS TO PREVENT BAD INFORMATION FROM POSSIBLY CAUSING DATACORRUPTION PROBLEMS.---------------Alright, it's your turn. What did I miss? Did I screw up any of the aboveexamples? What do you all want to hear about next? Brian B. Burton BOFH - Department of Redundancy Department--------------------------------------------------------------- MMT Solutions - Specializing in Online Shopping Solutions 973-808-8644 http://www.safecommerce.comBy three methods we may learn wisdom: First, by reflection, which isnoblest; Second, by imitation, which is easiest; and third by experience,which is the bitterest. Confucius-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to
.This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
|
- P2: How to make webcatalog more stable. - LONG (Brian B. Burton 1999)
|
In my previous message, I talked about checking for blank fields, and properly utilizing the [url] tag to clean data before it is looked at.You have to realize how important it is to wrap user entered fields in URLtags any time you touch them! This prevents WebCatalog from interpreting anymalicious stuff.But, hey, I promised you the fun of bombing your own server! Not one to letyou down on my word, here's some code, from a page I call Ishtar.tpl------------------[showif [doit]=T][setheader cart=[cart]]header1=[field1][/setheader]This input: [field1] did not bomb the server.
[/showif]-------------------Nothing shown above, by itself, should bomb your server.now when you run this page, try these values in the text input:Your nameAT&TYour Email AddressPCS Rocks!Jack & JillWhich one(s) of the above bombed the server?If your server is like all of the versions of WebCatalog with all of theversions of WebSTAR I've run it on, anything with an ampersand will cause a)the CGI to die and be relaunched (sometimes it stalled I think, but I can'tremember now...), b) the plug-in to cause WebSTAR to give an applicationbomb and die.Why? This took me a while to figure out. I'm going to just show you twoexamples below, see if you can step through them before I explain it...[setheader cart=[cart]]name=[name]&header1=[company]&address1=[address]...[setheader cart=123456]name=Bob S.&header1=AT&T&address1=123 West main...if you look above, WebCatalog isn't smart enough to realize that at&t is afield value, and tries to set header1=AT and set a header named T ...well...to nothing. I could speculate that WebCatalog itself doesn't have enougherror trapping going on, and simply overflows it's array looking for thismysterious field T, but only Grant knows the truth on this...I'm really curious for feedback from all of you on how this works ondifferent platforms.The workaround is to wrap each and every field you set in the headers in aURL, kind of like this:[setheader cart=[cart]]name=[url][name][/url]&header1=[url][company][/url]&address1=[url][address][/url]...As for using commands to set headers (showcart, purchase) we at MMT haveentirely given up on them (thus losing a significant portion of WebCatalog'se-commerce abilities), because they neither allow for error checking thedata before it is set, nor do they properly encode the data set in theheaders. (our experience, YMMV)This problem also plagues the database activities of appending and replacingdata in your databases (without the bombing.) YOU MUST WRAP ANY USER ENTEREDFIELDS IN [url] TAGS TO PREVENT BAD INFORMATION FROM POSSIBLY CAUSING DATACORRUPTION PROBLEMS.---------------Alright, it's your turn. What did I miss? Did I screw up any of the aboveexamples? What do you all want to hear about next? Brian B. Burton BOFH - Department of Redundancy Department--------------------------------------------------------------- MMT Solutions - Specializing in Online Shopping Solutions 973-808-8644 http://www.safecommerce.comBy three methods we may learn wisdom: First, by reflection, which isnoblest; Second, by imitation, which is easiest; and third by experience,which is the bitterest. Confucius-------------------------------------------------------------Brought to you by CommuniGate Pro - The Buzz Word Compliant Messaging Server.To end your Mail problems go to .This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Brian B. Burton
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Major problem (1999)
WebCatalog f2 Installation (1997)
RE: PIXO support (1997)
[SQL] & ODBC on Mac (2000)
Users and groups for local directories (1999)
Credit card types (1997)
WebTEN vs webSTAR (1998)
[WebDNA] WebDNA for Windows Newbie Questions (2008)
[WebDNA] unique words (2009)
Can't use old cart file (was One more try) (1997)
Renaming DB fields (2000)
[WebDNA] New 7.1.702 version (2012)
WSDL Wizard (2003)
update on wn searching (1997)
Can't Search field (1998)
RE: incrementing a counter remotely? (1999)
Looping Search (2006)
WebCat2 - many [carts] on one template page? (1997)
WebSTAR and WebSTAR/SSL with WebCatalog plugins (1998)
Replacing a Word (1999)