denstar wrote: > On Sun, Aug 17, 2008 at 2:08 AM, Jochem van Dieten wrote: >> denstar wrote: >>> On Sat, Aug 16, 2008 at 6:15 AM, Jochem van Dieten wrote: >>>> I haven't mentioned this before because I do believe that filtering >>>> request URLs is the wrong approach >>> Care to elaborate on this? >> Filtering means "allow unless it matches". A security measure should be >> "deny unless it matches".
> Or maybe you've got a simple solution, to how one would limit URL > requests to only allowable values? I don't think simple solutions exist. The closest I have seen that still was simple yet appeared to be somewhat effective was a company that did something akin to hungarian notation. They had all their variables typed like user_uuid and article_int and they did type / bounds checking in the webserver, throwing security errors on every type mismatch or occurence of a variable without the type declared. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311154 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4