Well yes it is now kinda off topic, people with filter on OT will now miss our replies:)
Modifying the source is a Netscap friend.. How many times I had to clear some CSS from the source because goddam Netscape can't render all css attributes.. How many times I modify the source to close an ending tr tag because I just see a plain blank page evenb if all the html is in the source. Netscap is not friendly with poor html coders, and even huge websites have bad coding for netscape. Concerning security, The best thing is to keep all server side. If you have a database you keep all info in the database, and the cookie is only sending a sessionID which was created when the user logged in. The sessionID contains only a random number/other, i generate a MD5 from a combinaison of username/pass/remote adress. That sessionID is recorded in your users tables, along with the IP adress, so if a hacker reads that cookie, it can only use it from the same IP adress, and he nees to use it before the session expiration (your script asks a re-login if the user was idleing for more than x minutes) That way it's almost impossible to hack, the hacker would have either to catch the username and password that was sent ONCE at the beginning of the session, or catch the cookie, use it from the same IP adress and less than 2 minutes after the last action from the logged in user. Same method may apply to the form values, if it's important data i.e. credit card info, first you send them thru SSL and then you store it on a temporary table, let's say, until the user finishes entering, let's say, shipping adress. Then you can use the info from the database table and never send back and forth personal data from and to the script. But that is more complicated than the original question about the 5 pages form:-) Etienne [EMAIL PROTECTED] wrote: > > > -----Original Message----- > > From: Etienne Marcotte [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, December 12, 2001 10:53 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Re: Passing arrays across forms > > > > > > You take the source, modify the value of hidden fields, and then hit > > enter when your browser points to c:/local/path/file.html > > [JOHN] Ooooohhhhh... I never thought of doing that. Thanks for the > education! > > > For sure the script can check the referring adress to see if > > it's on the > > server, but as Jenda stated a while ago, a "good" hacker will > > be able to > > telnet your webserver and put whatever he want's in the header to fake > > the reffering url. > > [JOHN] Still, a great reason to check referrers in your script. If a > hacker is already into your system enough to get around that, what more can > you do? (Rhetorical question, this thread is probably off-topic enough > already!) Cookies can be faked and/or copied too, can't they? Athough the > hacker would have to have some idea what it needs to look like to create it > from scratch. And GET parameters are the easiest of all to fake! > > > As for accessing the param() There are some good way, again Jenda made > > the most wonderful module for people like me that don't really like > > modules:) It takes the post/get data and parse it, without > > ... > > [JOHN] Thanks for mentioning that module again, I missed it the first > time around. > > - John > ~~~~~~~~~~~~~~~~~~~~~~~~~ > This message may contain information which is private, privileged or > confidential and is intended solely for the use of the individual or entity > named in the message. If you are not the intended recipient of this message, > please notify the sender thereof and destroy / delete the message. Neither > the sender nor Sappi Limited (including its subsidiaries and associated > companies) shall incur any liability resulting directly or indirectly from > accessing any of the attached files which may contain a virus or the like. > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Etienne Marcotte Specifications Management - Quality Control Imperial Tobacco Ltd. - Montreal (Qc) Canada 514.932.6161 x.4001 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
