I see your point Anthony. I understand that while its not possible to prevent hackers from getting information they want, we can only make sure that its only hard to crack the nut. Also, if the basics are implemented right(which I know web2py does in-built [http://www.web2py.com/book/default/chapter/01#Security] ), we may be able to prevent such things happening to some extent with proper validations etc. I think this whole conversation clears a lot of air surrounding security. Its only how good we are at implementing things and concealing secure parameters.
Thank you, Sincerely, Rahul D (www.flockbird.com) On Tuesday, March 13, 2012 9:13:05 PM UTC+5:30, Anthony wrote: > > Well I have these two files attached with my pyjamas application >> bootstrap.js and bootstrap_progress.js. These are from the same web2py - >> pyjamas application example that is available online. I happened to try it. >> I find that although they have code in js, I don't find the database >> parameters. > > > What "database parameters"? Are you talking about form fields? If there is > a form submission, open the browser developer tools, submit the form, and > you will be able to observe the outgoing request, including all post > variables sent to the server -- you don't even have to look at the source > code to know how the app sends form submissions. A hacker could then create > their own spoofed post requests. Anyway, the details of how to construct > and submit a form have to be represented somewhere in the HTML and/or JS > code -- someone who knows Pyjamas will be able to figure it out. Again, you > can make it more difficult for non-technical users to easily inspect your > code, but you cannot prevent hackers from seeing what your client-side code > is doing. Do not rely on client-side code obscurity as your only protection. > > Anthony >
