More on Form Security
Steve Thomas
sthomas at library.adelaide.edu.au
Tue Jan 6 18:39:50 EST 1998
At 11:44 AM 98/01/06 -0800, Elizabeth H. Hamilton wrote:
>I think I found the answer to my first question. The form I spoke of in my
>earlier post "Form Security" would not be secure because what would keep a
>user from using another form to call my script!? In their form, they could
>"hardcode" metachracters into the place where I would have put the email
>addresses!
>
>Apparently the only secure route is to check all input on that field
>for metacharacters. Let me dust off my Perl regexes and get to work!
>
>Back to the drawing board! ;-)
Rather than hard code the email addresses in your form, why not hard code
them in your script, and just use markers (e.g. names) in your form. Then
the script could use the marker to look up a hash containiing the actual
email addresses.
Users can manipulate your form, but they can't alter your script!
Steve
___________________________________________________________________________
Stephen Thomas, Senior Systems Analyst
Mail : Barr Smith Library, The University of Adelaide, South Australia 5005
Phone: (08) 8303 5190 Fax: (08) 8303 4369
Email: sthomas at library.adelaide.edu.au
URL : http://library.adelaide.edu.au/ual/staff/sthomas.html
** Unless otherwise stated, the content of this message reflects only my **
** own opinion, and not the policy of the University of Adelaide Library.**
"I must Create a System, or be enslav'd by another Man's" -- William Blake
More information about the Web4lib
mailing list