HTML/Middle-click/Security question...
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Wed Mar 14 02:44:06 UTC 2007
Mike, Brandon, Zbigniew and Fraser,
Thanks very kindly for all your detailed replies!
So knowing now that Get/Post isn't any more secure I'll have to
rethink how I handle security. I am happy to say that one piece of
advice you guys gave me, validating CGI variables, I am already doing.
:) Maybe I am getting to paranoid about this issue then?
It is good to know that Post's aren't cached; so I will probably
stick to using forms for back end pages and allow Get's for front end
pages.
Specifically with regards to the search engine, I will change the
results to only point to public pages using normal
'http://foo.com/cgi-bin/script.cgi?var1=foo&var2=bar'). If the user is
logged in (and has privs), I'll show an "Edit" button which can use a
form to call the admin page.
So again, thank you all kindly! You've helped me understand security
a wee bit better. Also, I've bookmarked the OWASP site. :)
Madi
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list