On Sun, Aug 17, 2008 at 10:43 AM, Jochem wrote: > denstar wrote: >> Or maybe you've got a simple solution, to how one would limit URL >> requests to only allowable values? > > I don't think simple solutions exist. The closest I have seen that still > was simple yet appeared to be somewhat effective was a company that did > something akin to hungarian notation. They had all their variables typed > like user_uuid and article_int and they did type / bounds checking in > the webserver, throwing security errors on every type mismatch or > occurence of a variable without the type declared.
That actually doesn't sound too painful. More cpu intensive compared to what I've got now (unless my keyword blacklist keeps growing), but pretty simple. I get the idea of "deny, allow", but when you can cut out like 95% of the crap with a super-fast "this is bad" type deal... hmm... my real-world mind says go for it, while my programmer "perfect world" mind knows it's not the "most secure" angle. Stupid trade-offs! Wish we could "pick all three", as the saying goes. Heh. I'm actually liking the idea of only passing ID numbers in the url request, which would make for a simple rule. Hmm... What else would you really need to pass besides a single token, the thread of the web? Am I thinking screwy, or what? Doesn't do squat for form or anywhere else, I reckon-- but what's the percentage of form submissions vs. url requests? Eh. Guess, like all things, it sorta depends on what you're doing, and trying to do, etc.. Thanks Jochem, I always enjoy your correspondence. :Denny -- Catch, then, O catch the transient hour; Improve each moment as it flies! St. Jerome ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311513 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
