Can't the Referer be manipulated too, though?
> -----Original Message-----
> From: BORKMAN Lee [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, May 06, 2001 9:11 PM
> To: Fusebox
> Subject: RE: Managing program flow
>
>
> Yes, but you can possibly live with hidden fields as long as you always
> check for a trusted referer.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>
>
> Hi,
> Well Erik It is Absoloutely going cause security hazards if you are using
> hidden varables in your page.
>
> Conside this, for example you store price of a product as a hidden
> variable. Now if the users saves the page to his system and reduces the
> price and then submits the page you will never know that the price is
> correct or incorrect as there will be no cross check with the price in the
> database.
>
>
> IMPORTANT NOTICE:
> This e-mail and any attachment to it is intended only to be read
> or used by
> the named addressee. It is confidential and may contain legally
> privileged
> information. No confidentiality or privilege is waived or lost by any
> mistaken transmission to you. If you receive this e-mail in error, please
> immediately delete it from your system and notify the sender.
> You must not
> disclose, copy or use any part of this e-mail if you are not the intended
> recipient. The RTA is not responsible for any unauthorised alterations to
> this e-mail or attachment to it.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
