> > Now it could be very easy to pass wrong values using some hacking > techniques by malicious people (inshort hackers) and send wrong information > into the database. >
Making your code invisible would not prevent hackers from submitting invalid values. The reason is that hackers can generate their own post requests without using your web page at all -- they can use their own client to send arbitrary post requests to your server (you can do it in Python using urllib or urllib2). The way to prevent hacked form submissions is to do server side validation, including some form of cross-site request forgery protection (which web2py achieves by including a unique formkey in each form that is also stored in the user's session on the server for comparison). Of course, it also helps to do everything over SSL if you want to make sure third parties cannot observe/modify the communication. Login to your bank account and try viewing the page source -- you will likely see all the HTML code for form submissions, etc. Even banks are exposing page source code with no worries, as you cannot rely on obscuring page code for protection. Proper protection requires server side validation (and of course making sure you don't send anything to the client that the user shouldn't be allowed to see). > --> Also note here I am not exactly trying to lock "View page source" for > the end users, they may be able to do it as per default browsers > functionality but rather would see something very clean and no parameters > like below pyjamas example view serailized. > > *<html><!-- auto-generated html - you should consider editing and > adapting this to suit your requirements > --> > <head> > <meta name="pygwt:module" content="TimeSheet"> > <link rel='stylesheet' href='TimeSheet.css'> > <title>PyJamas Auto-Generated HTML file TimeSheet</title> > </head> > <body bgcolor="white"> > <script language="javascript" src="bootstrap.js"></script> > <iframe id='__pygwt_historyFrame' style='width:0;height:0;border:0'></iframe> > </body> > </html>* > > The source code isn't being hidden in the code above, it just isn't present in the main page. Instead, the code that generates the displayed page is in the linked Javascript file (which the user can easily view/download) and the iframe (for which you can also easily view the source code). You can make it more difficult for non-technical users to casually view your page code, but you cannot hide your code from hackers (even compiled Flash and Silverlight code can be decompiled). > --> The above line *<body content="secure"> </body>* is *just a thought* > some html tag could be defined or supported in HTML5 or above or *even > in may be web2py 2.0 *that would toggle secure page view and unsecure > page view ... > if secure is *True* - users would see some stuff very basic like above > pyjamas example when viewing page source > else as usual - normal view page source (what it shows currently) > Again, standard browsers could build in some kind of "hide the source code" functionality, but that wouldn't prevent a hacker from requesting a page from your site via some other means and viewing the source. Once you send your source code over the wire, you don't know what kind of client will be viewing it, so you cannot trust that client to keep it hidden. Anthony
