> A question I've had about Fusebox and security/stability. In
> some enterprise sites I've dealt with I've found it a good
> practice not to pass variables along the URL if possible. It
> becomes very easy for someone to "break" the app by altering
> URLs - something they actually have access to, as opposed to
> FORM variables, (or session & client vars, etc.). If fuseactions
> are passed through the URL, doesn't this lead to the same
> "instability"?
This isn't really an issue for two reasons.
1. As long as the script is filtering input correctly, and providing default
options, passing the wrong attributes won't make any difference.
2. More importantly, it's not the case that the user can't tamper with form
variables, or anything else that is passed from the browser (cookies, CGI
parameters). It's very easy to tamper with hidden form variables - the user
can simply save the HTML file locally, modify the form values to be what
they want them to be, add the complete URL for the form action so that it
goes to the action page on the server, load the page in their browser, and
submit away. For cookies and CGI parameters, a little scripting is helpful,
but that's no protection from a malicious and minimally knowledgeable user.
Any data coming from the browser is subject to tampering.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
