I don't think security is any more of an issue with using a serverside
component than any other time. The only thing you are doing is making
page request to the server using javascript. Even without javascript,
anyone can make a request to the same file (function). So, security
is not any more of a factor (unless I am missing something). You
always have to deal with security when creating server-side
applications, so you should always make sure security is taken care
of.
--
// Robert Rainwater
On 2/14/2001, 5:19:56 PM EST, Henrik wrote about "[Dynapi-Help] Requirements of a
server-side companion for DynAPI":
> Something I got to thinking real hard about when scripting the servertasks fileI/O
>widget - which is actually a kind of in-script client/server type interface - was the
>security issue. How would
> you ensure that you isn't just making it easy for evil-minded hackers to do unwanted
>things to your website filestructure and files. What seems to be the best way is to
>let the webmaster be
> hardcoding in strict paths into a textfile as to ensure that at least not the user
>intentionally or unintentionally modiifes the wrong files or the wrong way in any
>directory in the webserver
> structure. this method isn't waterproof either, but at least it restricts the
>available filepaths if it's included into the server-side script that it must check
>the textfile and ensure that the
> input filepath is strictly true to one that is specified in the textfile. the
>textfile should of course not include its own path or it be useless.
> Also I would adwise to carefully consider wheter the general server-side script
>should actually include a renname and file-listing functions, as these could easily
>be misused. I've also been
> reconsidering actually including a delete function in my serverTasks fileI/O widget.
>This should probably be one thing amongst others which should rather be left to the
>webmaster to do manually to
> ensure its done right.
> Henrik Våglin [ [EMAIL PROTECTED] ]
> ----- Original Message -----
> From: "Doug Melvin" <[EMAIL PROTECTED]>
> To: "dynapi-help" <[EMAIL PROTECTED]>
> Sent: Thursday, February 15, 2001 12:59 AM
> Subject: [Dynapi-Help] Requirements of a server-side companion for DynAPI
> Rough draft:
> Add your comments and suggestions,
> then we'll make a second draft and do it again.
> DataBase access:
> -SQL implementation (rip code from or modify MySQL?)
> -getField('fieldname')
> > get the value in field 'fieldname' for
> the selected record
> -setField('fieldname')
> > set the value in field
> 'fieldname' for the selected record
> -SQLExecute('sqlstring')
> > you would pass your
> "SELECT * FROM" or
> "DELETE ALL FOR"
> statements to the DB
> engine here..
> File I/O (server-side):
> -directory navigation:
> +list files
> +change working dir
> -file streaming:
> +Open file stream
> +get X bytes from file stream
> +get ALL from file stream
> +write to file stream: append/insert/overwrite
> +close file stream
> -file manipulation:
> +copy file
> +move file
> +rename file
> +delete file
> +maybe batch versions of the above
> (ie myFileStreamObject.rename('f*s.js','f*r.js') )
> Network Comm:
> Not sure what you would want for network comm..
> But I was thinking, you can make tcpip connections with an applet right?
> So, on thos platforms that don't support, say, LiveConnect for instance,
> your applet can make a network connection to you serv-side component,
> which would then instruct you DynaPI to do something
> (using a queue I would assume as you can't 'tell' jscript to do anything from the
>server...)
> ---
> Outgoing mail is certified Virus Free by AVG Free Edition
> http://www.grisoft.com/html/us_index.cfm
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.231 / Virus Database: 112 - Release Date: 2/12/01
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> _______________________________________________
> Dynapi-Help mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/dynapi-help
----------------------
DynAPI Snapshots: http://dynapi.sourceforge.net/snapshot/
DynAPI Homepage: http://dynapi.sourceforge.net/
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/dynapi-help
