[Javascript] Maximun length of an id
Peter Brunone
peter at brunone.com
Tue Sep 11 12:48:48 CDT 2007
If you're worried about SQL injection, why wouldn't you just take care of that when designing your server-side code?
Besides, couldn't someone just write a parser that takes your HTML and finds whatever the encrypted ID is now... and then uses *that* to submit whatever data they want?
----------------------------------------
From: Terry Riegel <riegel at clearimageonline.com>
The reason for encrypting is because the id would "mean" something to
the server, and someone could determine what it means to the server
and change it to get the server to do something the page never wanted
it to do.
I think I can illustrate by showing an example without an encrypted id.
This is the data from my database. It is record number 01234
If I take this example and then write some snazzy Javascript to post
new data to the server, then I have just exposed my database. All
someone would have to do is determine how my post is working and
change recordid-01234 to recordid-01231 or something like that.
Does that make sense?
Terry
On Sep 7, 2007, at 3:38 PM, Terry Riegel wrote:
> Hello all,
>
> I am working on a text editing mechanism for my web sites. I am
> looking at something like
>
>
> My editable text will be here
>
>
> I plan on encrypting the ID so that it couldn't be meddled with and
> save to some other area of the site. I have several ideas for how
> this will work, and am open to any suggestions on that aspect
> (encryptng the id that is).
>
> My main question for this group is, is there any limit on the number
> of characters that can be found in an ID attribute?
>
>
> Thanks,
>
> Terry Riegel
> _______________________________________________
> Javascript mailing list
> Javascript at lists.evolt.org
> http://lists.evolt.org/mailman/listinfo/javascript
>
_______________________________________________
Javascript mailing list
Javascript at lists.evolt.org
http://lists.evolt.org/mailman/listinfo/javascript
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolt.org/pipermail/javascript/attachments/20070911/c06edd70/attachment.htm>
More information about the Javascript
mailing list