[Javascript] Maximun length of an id

Terry Riegel riegel at clearimageonline.com
Tue Sep 11 13:23:34 CDT 2007 

 > This sounds like security through obscurity,

Possibly, but take the following example.

<form action="update.cgi">
  <input type="text" name="myname">
  <input type="submit" name="Update">
</form>

Suppose your server is hosting update.cgi and I know that. If I  
create a nefarious page like this and point it to your server your  
server will do nothing on it as it will most probably need some  
indication of state before conceding to actually do the update.

Ultimately that state is/can be determined in several ways. For  
example your server might place a session ID cookie that would be  
sent along with the request, that session ID might be part of the  
actual URL, it could be a hidden field, it could be tagged to the end  
of the URL etc. etc.

The server would receive the request and do some sort of lookup to  
determine the session ID and then it would load persistent variables  
from that session to determine where to save "myname" to.

What I would like to do is have that "state" information held in the  
id of a div. This may be security by obscurity, but it seems to be no  
different then the existing model(s) used by a server to determine  
"state"with a stateless transport mechanism.

But alas I had originally posted that as a side question. My real  
question was/is "How long can an ID be".

Thanks,

Terry



On Sep 11, 2007, at 1:53 PM, Scott Reynen wrote:

> On Sep 11, 2007, at 11:17 AM, Terry Riegel wrote:
>
>> The reason for encrypting is because the id would "mean" something to
>> the server, and someone could determine what it means to the server
>> and change it to get the server to do something the page never wanted
>> it to do.
>>
>> I think I can illustrate by showing an example without an encrypted
>> id.
>>
>> <div class="editable" id="recordid-01234">
>>   This is the data from my database. It is record number 01234
>> </div>
>>
>> If I take this example and then write some snazzy Javascript to post
>> new data to the server, then I have just exposed my database. All
>> someone would have to do is determine how my post is working and
>> change recordid-01234 to recordid-01231 or something like that.
>>
>> Does that make sense?
>
> This sounds like security through obscurity, which is generally a bad
> idea.  If an update to record 01231 is going to do something bad, you
> should probably change your server-side process so that's no longer a
> possibility rather than hiding the ID for that record and hoping no
> one finds it.
>
> Peace,
> Scott
>
> _______________________________________________
> Javascript mailing list
> Javascript at lists.evolt.org
> http://lists.evolt.org/mailman/listinfo/javascript
>

More information about the Javascript mailing list