RE: [Templates] Objects as hidden variables?
[prev]
[thread]
[next]
[Date index for 2004/12/18]
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C4E4FD.EE80DA4E
Content-Type: text/plain
> -----Original Message-----
> From: Larry Leszczynski [mailto:larryl@xxxxxxxxx.xxx]
> Sent: 17 December 2004 19:15
> To: Jonathan Mangin
> Cc: Sean Kellogg; templates@xxxxxxxxxxxxxxxx.xxx
> Subject: Re: [Templates] Objects as hidden variables?
>
> Depending on how big your session object is and what kind of stuff is in
it, another thing you could try is to serialize > the entire session into a
string and use that as your hidden variable, and then unserialize when the
form is submitted. > You could use something like the Storable module's
freeze and thaw methods, or maybe the Data::Serializer module:
>
> http://search.cpan.org/~neely/Data-Serializer-0.28/lib/Data/Serializer.pm
You really, really don't want to do this. Never trust anything that is sent
from the Brower. Whilst it seems like a good idea the security holes are
endless. Using this method when the data is stored server side is fine but
when you are giving the end user the opportunity to change it you are asking
for trouble.
S
------_=_NextPart_001_01C4E4FD.EE80DA4E
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Templates] Objects as hidden variables?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>> -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>> From: Larry Leszczynski [<A =
HREF=3D"mailto:larryl@xxxxxxxxx.xxx">mailto:larryl@xxxxxxxxx.xxx</A>;] =
</FONT>
<BR><FONT SIZE=3D2>> Sent: 17 December 2004 19:15</FONT>
<BR><FONT SIZE=3D2>> To: Jonathan Mangin</FONT>
<BR><FONT SIZE=3D2>> Cc: Sean Kellogg; =
templates@xxxxxxxxxxxxxxxx.xxx</FONT>
<BR><FONT SIZE=3D2>> Subject: Re: [Templates] Objects as hidden =
variables?</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Depending on how big your session object is and =
what kind of stuff is in it, another thing you could try is to =
serialize > the entire session into a string and use that as your =
hidden variable, and then unserialize when the form is submitted. =
> You could use something like the Storable module's freeze and thaw =
methods, or maybe the Data::Serializer module:</FONT></P>
<P><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> <A =
HREF=3D"http://search.cpan.org/~neely/Data-Serializer-0.28/lib/Data/Seri=
alizer.pm" =
TARGET=3D"_blank">http://search.cpan.org/~neely/Data-Serializer-0.28/lib=
/Data/Serializer.pm</A></FONT>
</P>
<P><FONT SIZE=3D2>You really, really don't want to do this. Never =
trust anything that is sent from the Brower. Whilst it seems like =
a good idea the security holes are endless. Using this method =
when the data is stored server side is fine but when you are giving the =
end user the opportunity to change it you are asking for =
trouble.</FONT></P>
<P><FONT SIZE=3D2>S</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C4E4FD.EE80DA4E--
_______________________________________________
templates mailing list
templates@xxxxxxxxxxxxxxxx.xxx
http://lists.template-toolkit.org/mailman/listinfo/templates
 |
 |
RE: [Templates] Objects as hidden variables?
Simon Matthews 12:34 on 18 Dec 2004
|
