RE: Managing program flow

Mon, 07 May 2001 06:33:41 -0700 

Am I missing something here?  Why do you need to pass any sensitive info in
the form?  Pass the productID and quantity...then use the productID to pull
other info to be displayed.  No need to pass things that could compromise
your business.  Do you order totaling, shipping, etc. from the price in the
db for that productID.

I would take an extra trip  to the db over a price cut any day.

Chris

-----Original Message-----
From: Patrick McElhaney [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:48 AM
To: Fusebox
Subject: RE: Managing program flow


Can't the Referer be manipulated too, though?

> -----Original Message-----
> From: BORKMAN Lee [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, May 06, 2001 9:11 PM
> To: Fusebox
> Subject: RE: Managing program flow
>
>
> Yes, but you can possibly live with hidden fields as long as you always
> check for a trusted referer.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>
>
> Hi,
> Well Erik It is Absoloutely going cause security hazards if you are using
> hidden varables in your page.
>
> Conside this, for example you store  price of a product as a hidden
> variable. Now if the users saves the page to his system and reduces the
> price and then submits  the page you will never know that the price is
> correct or incorrect as there will be no cross check with the price in the
> database.
>
>
> IMPORTANT NOTICE:
> This e-mail and any attachment to it is intended only to be read
> or used by
> the named addressee.  It is confidential and may contain legally
> privileged
> information.  No confidentiality or privilege is waived or lost by any
> mistaken transmission to you.  If you receive this e-mail in error, please
> immediately delete it from your system and notify the sender.
> You must not
> disclose, copy or use any part of this e-mail if you are not the intended
> recipient.  The RTA is not responsible for any unauthorised alterations to
> this e-mail or attachment to it.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to