Saving Browser State without Cookies
Paul Rubin
phr-n2002a at nightsong.com
Wed Feb 6 08:43:07 EST 2002
gerson.kurz at t-online.de (Gerson Kurz) writes:
> Here is a very simple example:...
> # decode "cmd" arg
> def GetArguments(form):
> result = { 'value':1 }
> if form.has_key('cmd'):
> try:
> new_dict = eval(binascii.a2b_hex(form['cmd'].value))
> ...
NOOOOO!!!! You can't let the client upload arbitrary stuff and eval
it in your Python app. That allows a malicious client to totally
take over your server.
You also can't put the server side database password in that client
side structure, unless you want the client to be able to read it,
via "View Source" or by intercepting the http stream.
Please be careful about security when writing stuff like this!!!
More information about the Python-list
mailing list