Le 26 déc. 2011 à 16:40, Richard Gaskin a écrit :
> Sivakatirswami wrote:
>
>> We have hackers on our web server getting in thru one Domain... I think
>> there is a whole in WordPress.
> ...
>> I can't wait until move our site over to RevIgniter; I think it will be
>> much more secure!
>
> Any of you have a similar LiveCode function to sanitize data?
Example code out of the LC-server powered widestep.fr saas eCMS and vertical
market web apps semantic driven generator :
1.- The HTTP POST requests sanitizer
> function start_somelivecode_lib
> if $_server[http_user_agent] is in "livecode (macos),livecode
> (win32),livecode (ios)" and "somedomainnamecomesthere" is
> $_SERVER["HTTP_HOST"] then
>
> ### active sub-domain retriever : start ###
>
> put "yourdatabasetype" into DbTarget ; put "thedatabasename" into DbName
> put "thedatabaseuser" into DbUser ; put thedatabasepwd" into DBPasswd
>
> repeat for each key k in $_POST
> put k & return after PostIn
> end repeat
> put trim(PostIn) into PostIn
>
> if "somepostkey1=" is char 1 to length("somepostkey1=") of PostIn or
> "somepostkey2=" is char 1 to length("somepostkey2=") of PostIn or
> "somepostkey3=" is char 1 to length("somepostkey3=") of PostIn
> then put "specialervicestablename" into CustEditors
> else if "somepostkey4=" is in PostIn then
>
> set itemdel to "&"
> put trim(char 8 to -1 of item -1 of Postin) into
> aspecialmatchboxvalue # Constante 1 #
> put item 1 to -2 of Postin into Postin
>
> different related "file://" server-side service paths come there
>
> different related db tables linkers come there
>
> end if
>
> ### active sub-domain retriever : end ###
>
> else return pseudo404()
>
> ...
2.- The undisclosed HTTP GET requests sanitizer code follow there
3.- The server-side incoming requests controller :
> function pseudo404
> if $_server[http_user_agent] is in "livecode (macos),livecode
> (win32),livecode (ios)" then
> then return "unsuitable credentials<===>unsuitable credentials"
> else return "<HTML><HEAD><TITLE>ERROR: File Not
> Found</TITLE></HEAD><BODY><H1>File Not Found</H1></BODY></HTML>"
> end pseudo404
>
>
> function somelivecode_lib_main_ctl
> if $_server[http_user_agent] is in "livecode (macos),livecode
> (win32),livecode (ios),livecode (android)" then
>
> put trim(PostIn) into PostIn
> get char 1 to -1+offset("=",PostIn) of PostIn
>
> if it is "" and char 1 to -1+offset("=",encel(PostIn)) of encel(PostIn)
> is "someknownkey1" then put pgSQL_directCall(encel(PostIn)) # credit
> else if it is "someknownkey2" then put someknownkey2(PostIn)
> else if it is "someknownkey3" then put someknownkey3(PostIn)
> ...
> else if it is "someknownkeyN" then putsomeknownkeyN(PostIn)
> else put pseudo404()
>
> else put pseudo404()
> end somelivecode_lib_main_ctl
4.- The undisclosed authentication dedicated sanitizer follow there
...
Comment1 : Any incoming request need to be accepted by those different kind of
controllers to be targeted to the authentication one. If something don't match,
the server app goes just to sleep after sending the pseudo404 response to the
unwanted request attempt (with, optionally, blacklisting features, caching,
etc...).
Comment2 : this code sanitize RIA clients requests ; the code don't need to be
very different to match non AJAX web clients requests and AJAX web clients one
but it need to be anywhere ;-)
HTH,
>
> --
> Richard Gaskin
> Fourth World
> LiveCode training and consulting: http://www.fourthworld.com
> Webzine for LiveCode developers: http://www.LiveCodeJournal.com
> LiveCode Journal blog: http://LiveCodejournal.com/blog.irv
>
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
--
Pierre Sahores
mobile : 06 03 95 77 70
www.sahores-conseil.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
