> Can you not encrypt the param to make it "harder" to get the gist of
> what it does?
You can. This only makes affecting your system as easy/hard as figuring
out your algorithm. Historically, that's no real protection at all.
The user can feed in some values, see what encrypted values come out,
and start breaking your system.
This might keep Joe User from altering the param, but really, Joe User
wasn't the one you were worried about. Jane User can devote an hour to
reverse engineer your algorthim, and can then do as she wishes.
Meanwhile, you're feeling "safe".
This sort of thing IS done, but the responsible places that do it
usually have some other check involved as well.
> Instead of a normal rm?=home typr URL? Would that help? Or is that
> foolishness?
Not foolish to think of, no. Quite reasonable. But foolish to trust,
yes.
(Disclaimer: I have no idea how one would go about reverse engineering
any algorithm more complicated than ROT13, but people with a lot more
security knowledge than I don't trust this sort of thing, and I trust
them)
--
SwiftOne / Brett Sanger
suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.