[ic] perl code in mv_check gets executed despite verification
failure
Ed LaFrance
interchange-users@icdevgroup.org
Thu Feb 20 12:50:00 2003
At 05:35 PM 02/20/2003 +0000, you wrote:
>Ed LaFrance wrote:
>
>>At 10:51 AM 02/20/2003 +0000, you wrote:
>>
>>>Ed LaFrance wrote:
>>>
>>>>
>>>>mv_check execution is not predicated on all form checks passing
>>>>successfully; mv_check gets parsed after IC data structures are updated
>>>>by the from submission, that is all. Your explanation above does not
>>>>clearly explain how you expect to conditionally parse the mv_check
>>>>target. As is always the case with Interchange, there are many ways.
>>>>For instance, you could use &success=somepage to pass execution through
>>>>somepage.html if the form passes all checks, and execute your code there.
>>>>
>>>>- Ed L.
>>>
>>>Problem with that is that people would be able to get at somepage.html
>>>and execute the code anyway:(
>>>
>>>thanks for the help
>>>
>>>John
>>
>>
>>That can be prevented; for instance:
>>
>>[set yourprofile]
>> ...
>> &success=../special_pages/somepage.html
>>[/set]
>>
>>..AFAIK it is not possible to get a page from the special_pages dir by
>>constructing a simple URL with no query strings, so that would prevent
>>people from arbitrarily hitting it. To stop someone who might be inclined
>>to send a form via a query string to get at it, you can just use &calc to
>>set a flag in the profile to show that execution was sent to the special
>>page from the proper method:
>>
>>[set yourprofile]
>> &calc = delete $CGI->{ok_to_parse}; 1; # can't hurt, I would think
>> ...
>> &success=../special_pages/somepage.html
>> &calc = $CGI->{ok_to_parse} = '1';
>>[/set]
>>
>>...then on special_pages/somepage.html
>>
>>[if cgi ok_to_parse]
>> # do stuff
>>[else]
>> # hey, get lost!
>> [bounce page=index]
>>[/else]
>>[/if]
>
>I know i'm stretching the point a little here.
I would be inclined to agree...
>but if i understand that, then somebody could (if they knew what was
>required) set ok_to_parse in the query string, no?
>
>thanks
>
>John
Yes, if they knew of it's existence. The var could also be named
oi2457093qfbdwyfq209tr093rhfe, which would make guessing rather difficult.
Or you could use the scratch space instead:
[set yourprofile]
&calc = delete $Scratch->{ok_to_parse}; 1;
...
&success=../special_pages/somepage.html
&calc = $Scratch->{ok_to_parse} = '1';
[/set]
...then on special_pages/somepage.html
[if scratch ok_to_parse]
[set ok_to_parse][/set]
# do stuff
[else]
# hey, get lost!
[bounce page=index]
[/else]
[/if]
- Ed L.
===============================================================
New Media E.M.S. Technology Solutions for Business
463 Main St., Suite D eCommerce | Consulting | Hosting
Placerville, CA 95667 edl@newmediaems.com
(530) 622-9421 http://www.newmediaems.com
(866) 519-4680 Toll-Free (530) 622-9426 Fax
===============================================================