On Tue, 13 Jul 2004 17:53:57 -0300, "Hernán Castelo"
<hc******@cedi.frba.utn.edu.ar> wrote:
thanks
but
what do you mean
when you say: "trust but verify"?
what is "verify" in this case?
Apologies, possibly a US only term.
This means no matter how much you trust a source as being valid,
always verify what you get from that source.
in a newer post
i'm ask if, because the same reason
i need to validate "all " the elements
that i REQUEST at the server side...
(like "Cookies", yes)
and also all the "INPUT" elements
i retrieve with "Request.Form",
being "Text" or "Select" or "Hidden" or whatever
Anything done on the client can be spoofed or faked at the client end
as well. You can never control the client. So you always need to
control what comes back to the server.
I saw one post that said to verify all the elements you're going to
use, but I'd say you should not request anything you wouldn't use.
Verification means simple things as well as complex. Is it a numeric
filed? Then don't accept non-numeric characters. Have they entered
quotes? Then escape them if you're using them in code. Have they
entered 500 characters for a field that only accepts 24? Trim it to
24 or reject it and make them re-enter it. This last should be
checked on the client *and* the server, the client for entry of more
than the limit for the field, and the server for the same thing, since
you can't guarantee the request they sent actually came from your
form, or was manually entered.
Jeff
