For clarification: Never trust what's coming from the browser. You ALWAYS have to check the data on the server side, because someone could simply re-create your HTML form providing wrong or even malicious data like e. g. SQL injections! Firebug just offers an easier way to manipulate the form data. Though additional form field validation on the client side (via JavaScript) can be useful to provide better usability (on-the-fly checking of values) and can also reduce server traffic. But again, NEVER rely on client-side validation!
Sebastian On Jun 15, 6:00 pm, Erik Krause <[email protected]> wrote: > Am 15.06.2010 15:00, schrieb Peter Valdemar M rch: > > > But this is security-by-obscurity, me thinks. If the client has a way of > > knowing/guessing the hash algorithm (e.g. if this is to be an open > > source application), then the client can just change both the value and > > the hash and thus pass validation. No, the server needs to store the > > value_on the server_, completely out of reach of the client, and > > associate it with the session somehow for this to be secure. > > I don't think this is the right forum for this kind of discussion. > However, client and user do not need to be the same in this case. And > using a hash value is still way better than disabling firebug (and other > tools that display hidden fields). > > -- > Erik Krausehttp://www.erik-krause.de -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
