So much for "input type=hidden" It show up in the 'VIEW SOURCE'!!
I had already put extra Validation rules in my TCF file that runs each time
a new TAF is executed.
However I was "ticked off that I could see all my "hidden??" postarg values
in the'VIEW SOURCE'.
So I just wrote a METHOD that at least garbles the ARG names and ARG values
in the FORM screen then
un-garbles them for the resulting/next ACTION. I put all the assigns for
this in side an <@EXCLUDE>.
Well at least I feel better?
Here is a sample.
garbled ( this is what you see in the 'VIEW SOURCE')
<input type=hidden name="mljk0h0lgdeghjjptidhhmj" value="238484513038395">
ungarbled ( this is what the next action gets)
VARNAME="deptid" value="78">
then I can do the Validation
Another important aspect from a liability point of view is to document all
your security policies& procedures in the Company books. I mean if anything
BAD ever happens you want to be able to show that security has been a
constant priority with your business and that as a company you have been
working to protect your data with a standard that would be acceptable.
If a thief breaks into a doctors office and steals a bunch of drugs and
patient data. The clinic owner might or might not be in allot of trouble
depending on how good or bad is their building security.
Thanks again, Janet
-----Original Message-----
From: John McGowan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 13, 2006 10:08 AM
To: [email protected]
Subject: Re: Witango-Talk: security issues and ARGS
Assume that *ANYTHING* coming from the browser (or something pretending
to be a browser) can be hacked...
/John
William M Conlon wrote:
> Actually, you need to assume that all input can be hacked, at least
> someone will try to put arbitrary data into your arguments, poster or
> search/ hidden or visible.
>
> And assume that cookies can be hacked.
>
>
> On Sep 12, 2006, at 4:51 PM, quicknote wrote:
>
>> I have made a couple of assumptions that might or might not be correct?
>> A hacker would have a hard time getting access to a 'hidden post arg'
>> A hacker would have a hard time hacking into a report if the URL is
>> limited
>> to "xwww.root/contact.taf?"
>
> Bill
>
> William M. Conlon, P.E., Ph.D.
> To the Point
> 345 California Avenue Suite 2
> Palo Alto, CA 94306
> vox: 650.327.2175 (direct)
> fax: 650.329.8335
> mobile: 650.906.9929
> e-mail: mailto:[EMAIL PROTECTED]
> web: http://www.tothept.com
>
> ________________________________________________________________________
> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
>
--
John McGowan
[EMAIL PROTECTED]
P 847.608.6900 x 110
F 847.608.9501
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
