Nothing's a stupid question when worried about hacking.
The most important things is to validate the args -- don't trust
anything!
Here's how I usually approach things:
1. I explicitly use <@SEARCHARG> and <@POSTARG>. In case someone is
looking for buffer overrun exploits by POSTing long arguments to your
search args.
2. I immediately truncating the arguments to the maximum length
allowed. I also throw an error if anything was truncated, as this
indicates either a programming error, or an attempt to hack.
3. I validate the type (char, numeric, date, or in the case of radio/
checkbox to the list of permitted values). I have a few others like
NANP (North American Numbering Plan) for phone numbers. This helps
to reduce dbms errors.
4. If you use DirectDBMS, then use <@BIND> or make sure any SQL
characters are escaped to avoid SQL injection attacks.
5. I have a custom error page that looks nice, but doesn't disclose
any info to hackers. The error handler also mails me the full error
trace (thanks, Scott).
On Sep 10, 2006, at 6:34 PM, quicknote wrote:
I don't know anything about hacking, so this might be stupid
question, but
here it goes.
In my 'enter.TAF' I use args names like password, userid, and then as
necessary I assign them to variables with similar names.
Do hackers look for args & vars with these types of names?
Of course I keep these ARGS hidden and the site is encrypted etc,
but I was
just wondering if I should change the names of these args?
Janet Case, QSN
______________________________________________________________________
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
