Re: Witango-Talk: security issues and ARGS

[Jason Pamental]

Janet, Nice ideas - and good point about the documentation! Jason ----- Jason Pamental Director of Web Services North Sails Office: 401.643.1415 Fax: 401.643.1420 Mobile: 401.743.4406 Email: [EMAIL PROTECTED] On Sep 14, 2006, at 1:53 PM, quicknote wrote: So much for "input type=hidden" It show up in the 'VIEW SOURCE'!! I had already put extra Validation rules in my TCF file that runs each time a new TAF is executed. However I was "ticked off that I could see all my "hidden??" postarg values in the'VIEW SOURCE'. So I just wrote a METHOD that at least garbles the ARG names and ARG values in the FORM screen then un-garbles them for the resulting/next ACTION. I put all the assigns for this  in side an <@EXCLUDE>. Well at least I feel better? Here is a sample. garbled ( this is what you see in the 'VIEW SOURCE') <input type=hidden name="mljk0h0lgdeghjjptidhhmj" value="238484513038395"> ungarbled ( this is what the next action gets) VARNAME="deptid" value="78"> then I can do the Validation Another important aspect from a liability point of view is to document all your security policies& procedures in the Company books.  I mean if anything BAD ever happens you want to be able to show that security has been a constant priority with your business and that as a company you have been working to protect your data with a standard that would be acceptable. If a thief breaks into a doctors office and steals a bunch of drugs and patient data. The clinic owner might or might not be in  allot of trouble depending on how good or bad is their building security. Thanks again, Janet -----Original Message----- From: John McGowan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 13, 2006 10:08 AM To: witango-talk@witango.com Subject: Re: Witango-Talk: security issues and ARGS Assume that *ANYTHING* coming from the browser (or something pretending to be a browser) can be hacked... /John William M Conlon wrote: Actually, you need to assume that all input can be hacked, at least someone will try to put arbitrary data into your arguments, poster or search/ hidden or visible. And assume that cookies can be hacked. On Sep 12, 2006, at 4:51 PM, quicknote wrote: I have made a couple of assumptions that might or might not be correct?  A hacker would have a hard time getting access to a 'hidden post arg'  A hacker would have a hard time hacking into a report if the URL is limited to "xwww.root/contact.taf?" Bill William M. Conlon, P.E., Ph.D. To the Point 345 California Avenue Suite 2 Palo Alto, CA 94306    vox:  650.327.2175 (direct)    fax:  650.329.8335 mobile:  650.906.9929 e-mail:  mailto:[EMAIL PROTECTED]    web:  http://www.tothept.com ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf -- John McGowan [EMAIL PROTECTED] P 847.608.6900 x 110 F 847.608.9501 ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf Visit us at http://www.northsails.com [This E-mail scanned for viruses by Declude Virus] ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf