Okay, I've gotta bounce this off some other programmers who work with
Apache::ASP.
This has been reported twice.
Procedure:
User loads signup form
Result:
User sees somebody else's credit card data - VERY VERY VERY BAD
Attempts by programmer to recreate:
Fruitless.
Thoughts:
I store the form data in a variable. This is a my scoped variable in the
root file scope.
I then utilize this $frm variable in a subroutine that I call, without
passing the value. Utilizing it as a global variable, for the file, at
least.
The simplest case for example:
---index.asp---
<[EMAIL PROTECTED]>
<%
my $frm = $Request->Form();
Main(%Results);
sub Main {
%>various html stuff
<input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
more html stuff%>
}
%>
---index.asp---
Now what has happened, reportedly twice (probably many more times),
is that the Main() subroutine displays the cc_number that was entered
BY A DIFFERENT SESSION!
The question is. Is it at all possible that some other session (perhaps
within the same apache process) acquired some other value of $frm through
the persistant-across-page-loads value of $frm within Main? I think you
programmers can understand what I'm asking, though it seems muddled even
as I try to type it.
As I understood it, a file 'my' scoped variable would NOT be persisted
anywhere, but is considered global within subroutines in the same file.
Maybe I'm wrong. I know that its ugly what I did there, and I have
revised my code to pass the $frm variable from the file scope to the
subroutine. Much prettier.
Your thoughts?
Skylos
- [EMAIL PROTECTED]
- The best part about the internet is nobody knows you're a dog.
(Peter Stiener, The New Yorker, July 5, 1993)
- Dogs like... TRUCKS! (Nissan commercial, 1996)
- PGP key: http://dogpawz.com/skylos/mykey.asc
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
