|
Brad Stone wrote: > ... > Yes, the web works great for simple order history, customer > service, and ordering. But that's because these people are > outside of the business and don't need to know everything to > the last detail. Just the basics. Perfect fit for the web. > And the biggest reason, it needs to be an app that everone > can get to. Web again is perfect for that because we can't > control what the customer is using to access the data. We > can just make sure it's a web browser. > ... Forgive me for butting in and nitpicking. While almost everything you say in your note is certainly correct, the last sentence in the above paragraph is not. You just can't guarantee that a hit on your public web site is from a web browser (let alone any particular browser). The request may be coming from any of hundreds of webbots, such as the "Googlebot" or the infamous "email siphon". Or, the request may even be coming from some malicious script kiddie using a tool like your GETURI. For the benefit of newbies to CGI programming, why is this important to understand? It is vitally important to assume that all inputs are not to be trusted, and to verify all inputs coming into your CGI program. Every parameter name and every parameter value should be checked, otherwise you run the risk of someone crashing your program. In fact, I've seen several RPG CGI programs in published form from various authors that can be easily crashed with invalid input. (BTW, Perl CGI programmers are familiar with an incredibly useful feature of that language called "taint checking". By using option "-t" on the command, all inputs coming in are considered "tainted" until explicitly accepted. Tainted values cannot be used for many operations where there's risk. Unfortunately, this type of feature is much harder to implement in a compiled language, like RPG, if not impossible.) The bottom line is this: Regardless of any size limits in your HTML forms, or any validity checking in your client-side scripting, validity checking is a necessity in all CGI programs, since the request may be coming from a source other than a supported browser. Cheers! Hans
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.