Right, but I would argue that it is safe to store only the productID, not
the price, and calculate the price each time the display of it is needed by
hitting the DB. Passing checkout information in hidden form fields CAN be
secure, as long as you pass insecure data, not things like CC info, price,
tax info, etc.
NAT
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 07, 2001 4:46 AM
> To: Fusebox
> Subject: RE: Managing program flow
>
>
> That wasn't my point. My point was the concept rather than the
> impementation
> attribute.
> Check out www.bratcatalog.com
> they do use hidden fields to store data and not at all secure.
> Amit Talwar
> Intellikaps
>
> -----Original Message-----
> From: Nat Papovich [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 07, 2001 9:52 AM
> To: Fusebox
> Subject: RE: Managing program flow
>
>
> Erik is smart enough to either not store price info in a form field or to
> check that price matches price for productID on order submission.
>
> > -----Original Message-----
> > From: BORKMAN Lee [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, May 06, 2001 6:11 PM
> > To: Fusebox
> > Subject: RE: Managing program flow
> >
> >
> > Yes, but you can possibly live with hidden fields as long as you always
> > check for a trusted referer.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> >
> >
> > Hi,
> > Well Erik It is Absoloutely going cause security hazards if you
> are using
> > hidden varables in your page.
> >
> > Conside this, for example you store price of a product as a hidden
> > variable. Now if the users saves the page to his system and reduces the
> > price and then submits the page you will never know that the price is
> > correct or incorrect as there will be no cross check with the
> price in the
> > database.
> >
> >
> > IMPORTANT NOTICE:
> > This e-mail and any attachment to it is intended only to be read
> > or used by
> > the named addressee. It is confidential and may contain legally
> > privileged
> > information. No confidentiality or privilege is waived or lost by any
> > mistaken transmission to you. If you receive this e-mail in
> error, please
> > immediately delete it from your system and notify the sender.
> > You must not
> > disclose, copy or use any part of this e-mail if you are not
> the intended
> > recipient. The RTA is not responsible for any unauthorised
> alterations to
> > this e-mail or attachment to it.
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
