Preventing saved web pages submitting data
Hi,
whilst someone was messing around with a simple site I built
(literally just a guestbook thing using all the DW behaviours) they
found something I hadn't really thought about.
They could save the web page with the form on, to their
desktop. They could then use this saved form to submit data to the
webserver.
This got me thinking. If I was to use hidden form elements to
control the behaviour of the submitted data (for example, <input
name="dataaction" value="add">), in theory someone could save
the page, change the value to 'delete' and I don't really need to
say any more!
So my question is this - what's the best way to make sure
only pages served by the webserver can do anything (to disable
pages being able to be saved and edited)? I guess this can also
apply to URL tampering...
HTTP_REFERRER seems to be a little unreliable!
I'd rather know how to do this using DW behaviours or
something, but if not then any solution will do.
I'm interested in solutions for ASP and PHP.
Thanks in advance.
quote:
Originally posted by:
Newsgroup User
New Guy wrote:
> they shouldn't be able to download your whole page- just
the html part.
> Hence- No functionality.
Not true. All that the attacker needs to do is to change the
value of
the action attribute to the URL, and the form data will be
accepted.
Using a hidden field that would permit anyone to change the
SQL query
from from INSERT to DELETE is simply asking for trouble.
Permission to
delete should be restricted to registered users on a
password-protected
part of the site.
David Powers, Adobe Community Expert
Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/
David,
I agree with the permissions thing and I think for the most
part what I'm thinking about is probably redundant.
I guess this is more of an exercise to see if there's a way
to make sure form submissions only come from the "correct" place as
a means of adding extra security.
Thinking about the original example I gave, using hidden form
fields to change the query type is not really an issue as a) all
query types would only execute depending upon user credentials
(login, user level, session, etc), and b) I tend to use different
database connections depending upon the userlevel and query type.
But I do still have an interest in resolving how to make sure
forms only "work" when submitted from a certain place.
Cheers,
- B
Similar Messages
-
Safari (7.0.6) on my iMac running Mavericks (10.9.4) is not saving web pages (web archives)
Hi. Not familiar with forums but hope to get some help.
Safari (7.0.6) on my iMac running Mavericks (10.9.4) is not saving web pages (web archives).
I've used the following path:
File > Save As >then Format > Web Archive
It saves a file but when I click on its icon it opens up to the 'Top Sites' page (as when you click on the + for a new tab) not a saved web archive of the web page I was on.
I have no such problem with Safari on my MacBook Pro running Lion.
The iMac hardware details are: 2.7 Gz Intel Core i5 with 8 gb of RAM . The software update tells me I'm up to date.
Any help would be much appreciated. Thanks in advance.
Errol.It could be malware that's causing the archive / Top Sites problem.
Download and run the adware removal tool here > The Safe Mac » Adware Removal Guide
Easy, safe, and only takes a minute or two.
If no malware is found ...
From your Safari menu bar click Safari > Preferences then select the Privacy tab.
Click: Remove All Website Data
Then delete the cache.
Open a Finder window. From the Finder menu bar click Go > Go to Folder
Type or copy paste the following
~/Library/Caches/com.apple.Safari/Cache.db
Click Go then move the Cache.db file to the Trash.
Quit and relaunch Safari to test.
If that didn't help, troubleshoot Safari extensions.
From the Safari menu bar click Safari > Preferences then select the Extensions tab. Turn that OFF, quit and relaunch Safari to test.
If that helped, turn one extension on then quit and relaunch Safari to test until you find the incompatible extension then click uninstall. -
I saved web page as html file, but can't open saved file as web page
I did a FILE, SAVE PAGE AS, then chose 'WEB PAGE COMPLETE' - and a directory is created on my hard drive - with the directory name, for example - "c:\....\Ask a Question _ Mozilla Support.htm". (for this web page).
When I try to open the saved web page from Firefox, using FILE, OPEN, I see a new window that looks like a file manager window, I then select that saved .html file and click OPEN, and a new window opens that looks like file manager - displaying with all the files in that directory - "Ask a Question _ Mozilla Support.htm". That is, it does not open and dislpay the web page as I expect it should (that I saved earlier).
However, if I go to the file manager, I can see that directory is saved, and has the Windows Explorer icon associated with the directory "ask a question ....html", and also has a file type of HTML listed. If I double click that directory in file manager, Windows Explorer will open that directory and dis[play it as a web page, as I expected.
I would like to know why Firefox does not open the directory name as a web page from the FILE, OPEN command, but instead shows me the directory contents(all the files in that directory)?
BTW, if I try FILE, OPEN, using Windows Explorer the same thing happens - it opens a new window listing all the files in that directory.
Is this the way the FILE, OPEN is supposed to work?
It seems confusing, because if I am in any other program, for example WinWord, and do a FILE, OPEN command on a Word file, it opens the file as a Word Document - it does not just show the file in a "file manager window.
But when I click FILE, OPEN on an HTML file(directory using Firefox, it does not open that html directory as a web page?I am in the Windows Explorer 'Details' view, and I see the folder with 'Type' of FILE FOLDER. In that folder are all the .js and .css and .png files - as cor-el said.
''But now I also see'' that there is also an htm file - ''with the exact same name ''as the folder, but it has a 'Type' of 'HTML Document'. When I have Firefox do a File, Open on the HTML Document - it does open the web page that I saved and does display it as a web page.
I did not realize that Firefox saves both:
1) a Directory '''(Type 'File Folder') '''''', and,
2) an html file''' (Type 'HTML Document')
... '''and that they are the exact same names! '''
I was clicking on the wrong one! Instead of clicking in the .html file, I was incorrectly clicking on the folder!
(The archive add on looks interesting, but shouldn't I be able to open the saved web page, from the browser, using File, Open File) ? -
How do I view a saved web page?
I saved a web page by clicking on File; Save Page as; and then saving it as a web page. This created a folder, which contained a large number of files, but when I try to open the folder, it simply opens the folder in Windows Explorer, and does not bring the saved web page up in Firefox.
Am I doing something wrong?
I installed the "Read it Later" plugin and it seems to work, but I would prefer to be able to save and view the web page directly with Firefox.I do not use Windows 7 or the "Read it later" plugin, but will add a general comment.
The web page you save is likely to consist of a folder of many files and a main file with the extension .htm or html. the .htm or .html file is the one you need to open with a browser. I imagine if firefox is your default browser such files will show as a firefox icon. I also imagine that it is possible to set Windows 7 to specifically show file extensions, that is to show the .htm or .html part of the filename. -
Saved Web Pages No Longer Display Any Graphics
Hi all - is there a setting in Safari Prefs, or maybe in System Prefs to ensure that when re-opened, a saved web page (in Web Archive format) displays photographs and other graphics? Mine now show only blue boxes with question-marks, even when opened immediately after Saving As. Obviously some setting has changed.
Any ideas? Hopefully a simple solution.Thank you Charlie.
In going through the properties for the website in IIS and looking at the extensions, we found that at some point .htm and .html pages had been set to display as .aspx. However in the upgrade, Coldfusion added a 'wildcard' to those extensions using Coldfusion 9. We simply deleted those extensions (to match our development server, which did not have entries for them) and that solved the problem. In other words, I think the website was confused.
Christina -
Saving web pages direclty in MMC card
how to save directly web pages into memory card in Nokia 6680 as its not asking the option while saving a web page?
Even i dont have option to transfer saved web pages to MMC card,Please help!!no you cannot move it. on the contrary, you can add the page to bookmarks instead of saving it.
Click on KUDOS to appreciate our efforts and mark the thread RESOLVED if your issue is resolved. -
Is there any way of saving web pages to a file on the N97?
Most browsers that I know have this functionality, but not the Nokia browser. I installed the Opera browser, which allows you to do this, but as it's impossible to change the default web browser on the N97, you can't use it to open links in messages.
Saving as a bookmark isn't any good, as that only saves the URL, not the page.coolbelief
that is certainly the way to change the web browser, i had wondered how to do that.
now all i have to do is be adventurous and Change It.
Opera Mobile is so easy to use and works well
settings>Phone>Application sett.>Default apps.>Browsing internet>Web (by default) and you can change it to Opera Mobile (if already installed)
me 3310 6300 N97
son N95 HTC magic
son 6300 N95 E63 -
How to prevent duplicate web pages from loading
<blockquote>Locking duplicate thread.<br>
Please continue here: [[/questions/930219]]</blockquote>
how to prevent duplicate web pages from loading<s>Hi berternie, can you describe this in more detail?
Are you saying the identical page loads in two different tabs? When does that happen -- when you click a link? or when you use a bookmark?
Or do you have multiple tabs open every time you see your home page (i.e., when you start up, open a new window, or click the home icon)?</s>
I see, you have more info in this thread: https://support.mozilla.org/en-US/questions/930219 -
I am using MacBook Air 13 for more than two years. I appears some setting in Safari has been changed unwittingly. Now whenever I open a web-page I have previously saved, the "saved as" page disappears and is replaced by a screen showing in grid view the last 12 pages of sites I have visited. How to restore the setting so that the web page when opened shows the page I have saved.
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Turn all extensions OFF and test. If the problem is resolved, turn extensions back ON and then disable them one or a few at a time until you find the culprit. -
Omniportlet problems using web page as data source
When trying to set up an omniportlet using a web page as a data source
I get as far as defining the sectioning and scraping parts of the web clipping process.
When going on to the "filter" step of the process I always get an error message like:
Error
Failed to open specified URL. Check the following:
is the URL is active; is there a valid proxy setting or,
if HTTP authentication is required, check user name and password.
[http://oslap03.agra.int:7777/portalTools/webClipping/webData/omniPortlet/wcserver/jsp/show.jsp?_orawcs_providerId=39337338&_orawcs_portletId=1&_orawcs_p
ortletInstanceId=33731_OMNIPORTLET_39337338&_orawcs_userI
d=-&_orawcs_responseType=rowsetRow]
We are not using proxy servers for accessing external web pages in other cases
(so I wouldn't think we needed to now either), and this even happens for web
pages residing within our own network.
Any tips are much appreciated.Please provide support for the above request.
It appears that Oracle 10g reports doesn't support Web Service as pluggable data source. Is this option is available in Oracle 11g Reports or Oracle Discoverer Or OBIEE? -
Taking regular text from a saved web page through java.
Hello, currently I'm trying to save the source code from a regular HTML web page as a string. Which in fairness is pretty simple through the URL and InputStreamReader classes.
But my problem is I'm not fully sure how to save the source code when the page is saved on your hard drive, as the (i think) URL class tries to look for a non-existant host.
I think I need to use the HTMLEditor class but my knowledge of this is vague at best.
Any ideas?
Also I''m just trying to take out the regular text from the page (ie. what you see on the screen) and store that, is there any way specifically I should go about this? As I doubt it's going through the entire string and looking for specific tags to remove.
Thanks in advanceYes, I need to calm down. That worked me up a bit, I'l admit.
Oh, I'm with you 100%. Ipad is a nice 'accessory' to a PC or Mac. No replacement, by far.
I didn't share this, but I think it was in a frame or apart of a link. The ipad wanted to follow the link. At the other page was the same info. Still, I could not select it.
The ipad2 has dual processors. Do you think that could make a difference?
I was advised once to re-boot my cell-phone often. To clear it's memory. Does the Ipad need this as well?
I can select all day long while in this text edit box. But if I wanted to quote you by copy/paste, I cannot. Interesting. And it is right above and on the same page I am working on.
Definitely an area for improvement. -
IWeb backup - saving web pages
Hi there
I have several web pages that are put together with iWeb. Shortly, I will be doing a complete backup and reburn of my MBP with OSX. My question is how do I backup these pages and their associated files so that I don't lose them when I reinstall OSX? Is there a specific folder to copy? Thanks!Your website data is stored in a domain file located in Home Folder/Library/Application Support/iWeb.
-
Hello:
I am new to dreamweaver cs5 and I am working from a book Adobe Dreamweaver Classroom in a Book.
Being new to Dreamweaver and just having fun I have created and saved 4 basic web pages that are appearing in the dreamweaver Welcome screen in the Open a Recent Item drop down list. Being new to this trial and error I would like to delete them and start fresh. Searching for hours on line and in dreamweaver's help section I can't find what I am looking for. The book comes with a dvd with instructional lessons I have saved on to c drive where I do my work and save back on to c drive. Please, is there a way to delete these web pages. Thank you Jon.Re Mr. Waller
Thank you. It did the trick. -
How to prevent duplicate web pages loading
when clicking on a link, two duplicate web pages load, how to prevent this
This started when you installed Firefox 13? Which version did you have before -- Firefox 12 or Firefox 3.6?
Does this occur on all sites or only on particular sites?
Do you have a very sensitive mouse or touchpad that might be double-clicking the link? -
Saving web pages in Safari for Windows
Is it possible to save the whole web page (not just text, but also images etc) with safari?
When I go to File>Save as, it saves only text as htm file and doesn't create any folder with images, if you reset Safari or try to open this file with any other browser offline, you will see no images on the page.Unfortunately this is not supported yet in Safari for Windows.
Maybe you are looking for
-
How do i get my ringtones off my computer to my iphone 5
i downloaded ringtones on my iphone 5 using itunes but when i sycned to my window laptop now they are not on my iphone can someone please help me ? i see them on itunes on my computer how do i get them back on my iphone
-
Column/field does not exists in table but shows values?
Hi, I have a typical problem. Where is this column comming from?? Below is the actual table column description where I don't have a field called "3rd_party_driver_home_phone" But when I run the query as select 3rd_party_driver_home_phone from additio
-
Hello, I have an old iMac from mid 2007 that I use for media storage and it is running 10.8.5 and will not let me upgrade to 10.9. However, it let me update to iPhoto '14 and iWorks '14 and now none of them work as they are only compatible with 10.9
-
How to download 'Flash Player' on MacBook Air?
how to download 'Flash Player' on MacBook Air?
-
How to upload photos from elements 9 to Revel
How to upload photos from elements 9 to Revel