Re: [phplib] Registering form variables From: Jens Benecke (phplib <email protected>)
Date: 09/13/00

On Wed, Sep 13, 2000 at 12:59:16AM +0200, R.B. Scholtus wrote:

> If users have telnet access they can read your database passwords and
> change anything they want. we have discussed this before and the only
> solution is to disable telnet access.

I'm not allowing telnet to anyone. I'm using telnet to fake a web client.
Just do "telnet www.cnn.com 80" and type "GET / HTTP/1.1" and you are doing
_exactly_ the same as Netscape would be doing. That's the beauty of
open Internet standards, you can look into them as deep as you want.
 
> You can check the referrer and find out if the form data is from a local
> file or from the real website, but you have a good point!!!

I can also fake a referer via telnet. Also, what do you do with people who
acces your page via proxies which filter the Referer information?
 
> ps. what email program are you using? i receive all your mail as
> attachments :-)

Then you are probably using Outlook, which is the only client I know that
cannot deal with digital signatures. In times of Echelon and Carnivore, I
like to have at least a _little_ security against some idiot forging posts
under my address and me getting blamed. (Yes, this has already happened.)
Also, almost all of my private mail is sent and received in encrypted form.

Outlook apparently does not support these security features. Microsoft
again seems to boycott public standards (RFC2015). 'Nuff said.
 
I'm told there are third-party PGP plugins for it available, however.

If this is really a problem, I'll switch it off - but I wouldn't like to
... 

-- 
`Man sollte dem Verantwortlichen für ILOVEYOU alles     http://www.linuxfaq.de  
 mögliche antun, aber wahrscheinlich wird bloß       http://www.hitchhikers.de    
 seine Firma zweigeteilt." -- Usenet             http://www.pinguin.conetix.de
  • application/pgp-signature attachment: stored