[Javascript] Maximun length of an id

Terry Riegel riegel at clearimageonline.com
Tue Sep 11 13:23:50 CDT 2007 

I don't use SQL, so not trying to prevent this. Finding the encrypted  
ID now and submitting it is what the page would be designed to do. I  
wouldn't want that ID to be changed to allow changing other data.

Terry




On Sep 11, 2007, at 1:48 PM, Peter Brunone wrote:

>
>     If you're worried about SQL injection, why wouldn't you just  
> take care of that when designing your server-side code?
>
>     Besides, couldn't someone just write a parser that takes your  
> HTML and finds whatever the encrypted ID is now... and then uses  
> *that* to submit whatever data they want?
>
> From: Terry Riegel <riegel at clearimageonline.com>
>
> The reason for encrypting is because the id would "mean" something to
> the server, and someone could determine what it means to the server
> and change it to get the server to do something the page never wanted
> it to do.
>
> I think I can illustrate by showing an example without an encrypted  
> id.
>
>
> This is the data from my database. It is record number 01234
>
>
> If I take this example and then write some snazzy Javascript to post
> new data to the server, then I have just exposed my database. All
> someone would have to do is determine how my post is working and
> change recordid-01234 to recordid-01231 or something like that.
>
> Does that make sense?
>
> Terry
>
>
>
>
> On Sep 7, 2007, at 3:38 PM, Terry Riegel wrote:
>
> > Hello all,
> >
> > I am working on a text editing mechanism for my web sites. I am
> > looking at something like
> >
> >
>
> > My editable text will be here
> >
>
> >
> > I plan on encrypting the ID so that it couldn't be meddled with and
> > save to some other area of the site. I have several ideas for how
> > this will work, and am open to any suggestions on that aspect
> > (encryptng the id that is).
> >
> > My main question for this group is, is there any limit on the number
> > of characters that can be found in an ID attribute?
> >
> >
> > Thanks,
> >
> > Terry Riegel
> > _______________________________________________
> > Javascript mailing list
> > Javascript at lists.evolt.org
> > http://lists.evolt.org/mailman/listinfo/javascript
> >
>
> _______________________________________________
> Javascript mailing list
> Javascript at lists.evolt.org
> http://lists.evolt.org/mailman/listinfo/javascript
>
> _______________________________________________
> Javascript mailing list
> Javascript at lists.evolt.org
> http://lists.evolt.org/mailman/listinfo/javascript

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolt.org/pipermail/javascript/attachments/20070911/f04052aa/attachment.htm>

More information about the Javascript mailing list