Hi William
Wow! Thanks
I tend to use stored procedures (microsoft SQL server) so I assign the ARGS
to VARS.
I have not been using the BIND metatag, but I will definaelty get to work on
changing that.
So I can see some of the steps.
1) Assign the ARG to a VAR ( which I am already doing)
2) Use string function to define the length of the VAR and look
for and
discard too long VARS.
( I imagine here you would use an IF statement to STOP the
current action
if a too-long or suspect VAR is created.
3) USe the BIND mettag when using the VAR so that I can make the
datatype &
length explicit.
*******Question*******
How do you truncate an ARG, or do you do this is the ASSIGN action?
How do you tell if an ARG has been truncated?
I use the <@PURGE> tag for VARS how do get rid of suspect ARGS?
Does the name of the ARG matter like NAME=PASSWORD, should I make this
less obvious?
Thanks again for the reply with so much important information.
JAnet QSN
-----Original Message-----
From: William M Conlon [mailto:[EMAIL PROTECTED]
Sent: Monday, September 11, 2006 1:02 PM
To: [email protected]
Subject: Re: Witango-Talk: security issues and ARGS
Nothing's a stupid question when worried about hacking.
The most important things is to validate the args -- don't trust
anything!
Here's how I usually approach things:
1. I explicitly use <@SEARCHARG> and <@POSTARG>. In case someone is
looking for buffer overrun exploits by POSTing long arguments to your
search args.
2. I immediately truncating the arguments to the maximum length
allowed. I also throw an error if anything was truncated, as this
indicates either a programming error, or an attempt to hack.
3. I validate the type (char, numeric, date, or in the case of radio/
checkbox to the list of permitted values). I have a few others like
NANP (North American Numbering Plan) for phone numbers. This helps
to reduce dbms errors.
4. If you use DirectDBMS, then use <@BIND> or make sure any SQL
characters are escaped to avoid SQL injection attacks.
5. I have a custom error page that looks nice, but doesn't disclose
any info to hackers. The error handler also mails me the full error
trace (thanks, Scott).
On Sep 10, 2006, at 6:34 PM, quicknote wrote:
>
> I don't know anything about hacking, so this might be stupid
> question, but
> here it goes.
> In my 'enter.TAF' I use args names like password, userid, and then as
> necessary I assign them to variables with similar names.
> Do hackers look for args & vars with these types of names?
> Of course I keep these ARGS hidden and the site is encrypted etc,
> but I was
> just wondering if I should change the names of these args?
>
> Janet Case, QSN
>
> ______________________________________________________________________
> __
> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
