Re: Where is the secure setting for text variables?

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 54714
interpreted = N
texte = The problem is that some legitimate browsers may not send the referrer at all and you could turn away good business. - brian On Dec 6, 2003, at 11:04 AM, Dan Strong wrote: > Why not (on the landing page): > [hideif [referrer]=[the_value_of_[this_url]_on "the_form.html"]] > [redirect the_form.html] > [/hideif] > > Is it that someone could fake out a 'referer' MIME header and beat it? > > -Dan > > > On Sat, 06 Dec 2003 10:26:19 -0500 > Alex McCombie wrote: >> On 12/6/03 2:22 AM, "CN Stuff" wrote: >> >>> I was thinking I could pass something from the previous page that was >>> required on the posted page I could somehow thwart this loser. I >>> guess >>> I will just go with the referrer. >>> Thanks >>> Dale >> Dale if you really want to stop this try this logic. >> >> On the submittal page, have a search tag that searches a key database. >> The database is simple.. >> >> One field >> SKU KEY >> 1 23456787654 >> >> >> That's it. The number is random. >> >> Set a trigger to be called say every 30 minutes or so that just calls >> a page >> that simply does 2 things: >> >> replaces sku record 1 with a random number. >> >> The replaces a key.inc that sits in globals or somewhere standard for >> you >> with the same number. >> >> Then on the form page the inc file is inserted into a variable and on >> the >> submittal the search string simply checks the key db against the >> value of >> the key.inc >> >> Whalla randomly rotating key number that updates itself automatically. >> >> There is a very small chance that someone who got the form before the >> number >> changed when submitting it would get a mismatched number. >> >> This is easily resolved, if you're really concerned about it, by >> simply >> using 2 numbers in the key.db. >> >> The 1 sku is the new number, and the 2 sku is the 1 sku moved down as >> number >> one is changed. This guarantees you will never get mismatched failure >> and it >> is pretty much as simple and secure. >> >> HTH >> Alex >> >> >> >> Alex J McCombie New World Media >> Chief Information Officer Box 124 >> 888/892.6379 MartVille, NY 13111 >> Alex@NewWorldMedia.com http://OurClients.com >> >> Interface Designer WebDNA Programmer Database Designer > -- Brian Fries, BrainScan Software -- http://www.brainscansoftware.com -- ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Where is the secure setting for text variables? ( "Dan Strong" 2003)
  2. Re: Where is the secure setting for text variables? ( CN Stuff 2003)
  3. Re: Where is the secure setting for text variables? ( Donovan Brooke 2003)
  4. Re: Where is the secure setting for text variables? ( Donovan Brooke 2003)
  5. Re: Where is the secure setting for text variables? ( John Peacock 2003)
  6. Re: Where is the secure setting for text variables? ( Glenn Busbin 2003)
  7. Re: Where is the secure setting for text variables? ( Brian Fries 2003)
  8. Re: Where is the secure setting for text variables? ( "Dan Strong" 2003)
  9. Re: Where is the secure setting for text variables? ( Alex McCombie 2003)
  10. Re: Where is the secure setting for text variables? ( Terry Wilson 2003)
  11. Re: Where is the secure setting for text variables? ( CN Stuff 2003)
  12. Re: Where is the secure setting for text variables? ( "Dan Strong" 2003)
  13. Re: Where is the secure setting for text variables? ( Jesse Proudman 2003)
  14. Where is the secure setting for text variables? ( CN Stuff 2003)
The problem is that some legitimate browsers may not send the referrer at all and you could turn away good business. - brian On Dec 6, 2003, at 11:04 AM, Dan Strong wrote: > Why not (on the landing page): > [hideif [referrer]=[the_value_of_[this_url]_on "the_form.html"]] > [redirect the_form.html] > [/hideif] > > Is it that someone could fake out a 'referer' MIME header and beat it? > > -Dan > > > On Sat, 06 Dec 2003 10:26:19 -0500 > Alex McCombie wrote: >> On 12/6/03 2:22 AM, "CN Stuff" wrote: >> >>> I was thinking I could pass something from the previous page that was >>> required on the posted page I could somehow thwart this loser. I >>> guess >>> I will just go with the referrer. >>> Thanks >>> Dale >> Dale if you really want to stop this try this logic. >> >> On the submittal page, have a search tag that searches a key database. >> The database is simple.. >> >> One field >> SKU KEY >> 1 23456787654 >> >> >> That's it. The number is random. >> >> Set a trigger to be called say every 30 minutes or so that just calls >> a page >> that simply does 2 things: >> >> replaces sku record 1 with a random number. >> >> The replaces a key.inc that sits in globals or somewhere standard for >> you >> with the same number. >> >> Then on the form page the inc file is inserted into a variable and on >> the >> submittal the search string simply checks the key db against the >> value of >> the key.inc >> >> Whalla randomly rotating key number that updates itself automatically. >> >> There is a very small chance that someone who got the form before the >> number >> changed when submitting it would get a mismatched number. >> >> This is easily resolved, if you're really concerned about it, by >> simply >> using 2 numbers in the key.db. >> >> The 1 sku is the new number, and the 2 sku is the 1 sku moved down as >> number >> one is changed. This guarantees you will never get mismatched failure >> and it >> is pretty much as simple and secure. >> >> HTH >> Alex >> >> >> >> Alex J McCombie New World Media >> Chief Information Officer Box 124 >> 888/892.6379 MartVille, NY 13111 >> Alex@NewWorldMedia.com http://OurClients.com >> >> Interface Designer WebDNA Programmer Database Designer > -- Brian Fries, BrainScan Software -- http://www.brainscansoftware.com -- ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Brian Fries

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Emailer choke (1997) Why did this copyfile stop working? (2004) Sorting Numbers (1997) Bad Cookie (1998) Navigator 4.01 (1997) SQL Error: 00000 (2004) Include vs. lookup-opps (1998) Closing Databases (1998) WebCat2b13MacPlugin - [math][date][/math] problem (1997) Searching Multiple DBs (1997) DON'T use old cart file! (1997) MyVitrualMerchant (2007) Logical and or in [hideif] (1997) ANother SHOWIF problem (1997) [random] only for 1-100??? (1997) Shipping Calculation Problem (1997) errormessages.db (1997) I'm new be kind (1997) Showif date > other date (2004) Universal root for WC errors? (1997)