On Thu, Jul 10, 2003 at 01:29:06PM -0500, ryan whippo wrote: > I have an application that passes params around in the url. We need to > hide these for security reasons. We also don't want to have to change a > lot of code. Any ideas?
Hiding params doesn't add any level of real security. So long as you are working with an HTML page, the end user can easily see what parameters are being passed, and can easily try sending different values for parameters. The common method for "secure" params is to: 1) Never trust anything you get from the user. Perl's taint option can help remind you of this, but you need to understand WHY you shouldn't trust it. I can list many examples of bad ideas, but without knowing anything about your application, I'm not sure what examples to use. But in general terms, any statement you use user-supplied data in can be taken over if you don't check the data. If you are trying to drop a table name in an SQL statement, they can run any SQL statement. If you are reading a given file, they can read any file your webserver can read. If you are executing a shell command, they can wipe your files. There are, however, several standard and semi-standard ways of preventing this that aren't difficult. See the perlsec man page for more on this topic. 2) Any values that you don't want the user to be able to modify at whim should be stored server-side (by any number of means, see CGI::Session or Apache::Session for examples). Only a SessionID needs to be sent to the user (Via cookie or as a param -- this is a long lasting debate, but both work). Sorry, but you can't hide params in HTML...any attempt to do so will lead to a false sense of security. Far easier to secure the use of the params or use server-side that is free from tampering. -- SwiftOne / Brett Sanger [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
