<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I don't use SQL, so not trying to prevent this. Finding the encrypted ID now and submitting it is what the page would be designed to do. I wouldn't want that ID to be changed to allow changing other data.<div><br class="webkit-block-placeholder"></div><div>Terry</div><div><br class="webkit-block-placeholder"></div><div><br class="webkit-block-placeholder"></div><div><br class="webkit-block-placeholder"></div><div><br><div><div>On Sep 11, 2007, at 1:48 PM, Peter Brunone wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><br> If you're worried about SQL injection, why wouldn't you just take care of that when designing your server-side code?<br><br> Besides, couldn't someone just write a parser that takes your HTML and finds whatever the encrypted ID is now... and then uses *that* to submit whatever data they want?<br><br><font face="Tahoma, Arial, Sans-Serif" size="2"> <hr align="center" width="100%" size="2"> <b>From</b>: Terry Riegel <<a href="mailto:riegel@clearimageonline.com">riegel@clearimageonline.com</a>><br></font><br>The reason for encrypting is because the id would "mean" something to <br>the server, and someone could determine what it means to the server <br>and change it to get the server to do something the page never wanted <br>it to do.<br><br>I think I can illustrate by showing an example without an encrypted id.<br><br> <div class="editable" id="recordid-01234"><br>This is the data from my database. It is record number 01234<br></div><br><br>If I take this example and then write some snazzy Javascript to post <br>new data to the server, then I have just exposed my database. All <br>someone would have to do is determine how my post is working and <br>change recordid-01234 to recordid-01231 or something like that.<br><br>Does that make sense?<br><br>Terry<br><br><br><br><br>On Sep 7, 2007, at 3:38 PM, Terry Riegel wrote:<br><br>> Hello all,<br>><br>> I am working on a text editing mechanism for my web sites. I am<br>> looking at something like<br>><br>> <div class="editable" id="someidsotheserverknowswhattoupdate"><br>> My editable text will be here<br>> </div><br>><br>> I plan on encrypting the ID so that it couldn't be meddled with and<br>> save to some other area of the site. I have several ideas for how<br>> this will work, and am open to any suggestions on that aspect<br>> (encryptng the id that is).<br>><br>> My main question for this group is, is there any limit on the number<br>> of characters that can be found in an ID attribute?<br>><br>><br>> Thanks,<br>><br>> Terry Riegel<br>> _______________________________________________<br>> Javascript mailing list<br>> <a href="mailto:Javascript@lists.evolt.org">Javascript@lists.evolt.org</a><br>> <a href="http://lists.evolt.org/mailman/listinfo/javascript">http://lists.evolt.org/mailman/listinfo/javascript</a><br>><br><br>_______________________________________________<br>Javascript mailing list<br><a href="mailto:Javascript@lists.evolt.org">Javascript@lists.evolt.org</a><br>http://lists.evolt.org/mailman/listinfo/javascript<br><br><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Javascript mailing list</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Javascript@lists.evolt.org</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">http://lists.evolt.org/mailman/listinfo/javascript</div> </blockquote></div><br></div></body></html>