You cant control what the client browser sends to the server (as hackers
can spoof almost anything thats sent) so you need to treat all data from
the client as suspiscious until proven otherwise! This means validating
any data that is submitted to your application before your application
makes use of it. So if the BL says that a user cant change the value of
field X in situation Y then your code must be sure to check that they
havent done so when you process the submission.
Muhammad Momin Rashid wrote:
Hello All,
In my application, I have a scenario in which user is allowed to update the
information pertaining to his/her account. The pages are localised and on
the basis of this localisation, some fields are updateable in one scenario,
while others are not.
The problem is that a "smart enough user" can still figure out names (from
viewing source of the page where he/she adds the information for the first
time) and re-write the request parameters by hand, resultingly changing
values of the fields which are not supposed to be updated e.g. a user can
type in URL http://ourweb.com/someAction.do?fieldX=xyz. In this scenario,
the fieldX is updated in the session, and gets posted to the database.
It may be worthwhile to mention that the objects that hold and carry the
data are same in case of different locals (only the localised JSP pages
allow updation of different fields). Hence the business Logic Layer and the
database layer simply pass the object for persistance etc.
Any idea on the best way to tackle this problem?
Regards,
Muhammad Momin Rashid.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
