Sure, I agree with that. And I'll say I did clarify that protecting against SQLI, XSS, XSF, and the like is a very different subject, and even if one has no valuable assets in their site, they're worth protecting against because that site could be defaced, used to launch attacks against others, etc.
I really was just saying that I don't think all situations where one might remove CF's hidden field approach would necessarily open a security hole. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of shawn gorrell Sent: Tuesday, March 10, 2009 4:59 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) That's how I feel about the whole "scriptprotect" thing. I think it is actually worse to put something in which creates a false sense of security than do to nothing at all. _____ From: Dean H. Saxe <d...@fullfrontalnerdity.com> To: discussion@acfug.org Sent: Tuesday, March 10, 2009 4:56:19 PM Subject: Re: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) FWIW, I think Adobe and the CF team are doing a disservice to the community by supporting a known broken solution. Its time to get with the program and figure out a better way. I know Adobe has a strong security group, I'm just confused as to why they'd let something so obvious slide. -dhs ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------