Hi Markus -- > I would like to know if there are any recommendations for Modules > regarding the integrity of parameters i.e. to make shure the user has > not tried to tamper with the query string. > > I stumbled across CGI::EncryptForm, but I don't know if it really > integrates smoothly with C::A, or if there are other maybe better > solutions. I'm sure that there are some modules which promise to do this, but I've not used any. One tried-and-true technique is to send two versions of each variable -- the first one as clear-text, and the second one encrypted via a one-way mechanism, such as MD5, to act as a checksum. The MD5'd version would use a secret key which would be added before encryption. The key would be stored in your Perl module code ensuring that the user doesn't know it. When you receive back a variable which has been "secured" via this mechanism you would then re-encrypt the clear-text version you receive and compare it to the encrypted checksum which you have also received. If they match, then you can be reasonably sure that the data has not been tampered. OTOH, it may serve you well to figure out if this is really something you need to do. If all you're doing is securing data which was provided by the user in the first place it may not really serve any purpose to ensure that the user hasn't "changed their mind". Most of the time my interest is only in verifying that data I get is not out of bounds. For instance, if the user has a choice from an HTML drop-down I might want to check on the server side to validate that the form data I'm getting is one of the valid enumerated values. For that type of checking there is a module which seems to be popular on this list, and is maintained by a member: "Data::FormValidator". I think it's worth taking a look at. TTYL, -Jesse- -- Jesse Erlbaum The Erlbaum Group suppressed Phone: 212-684-6161 Fax: 212-684-6226 --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/suppressed/ To unsubscribe, e-mail: suppressed For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.