You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by co...@collegeclub.com on 2000/11/11 22:51:50 UTC

question on DBIx::Recordset PrevNextForm

Is there any way to hide the form data that the DBIx::Recordset
PrevNextForm function generates?  i just noticed that if someone does a
"view source," the user can view your db connection, username, password,
etc.  That doesn't seem very secure even though this is a pretty cool
subroutine to have.  I'm using embed perl to handle these request so
perhaps there might be another mechanism that works with DBIx::Recordset
that does the same thing without having to write that kind of sensitive
information as hidden fields?  Thanks


--------------------------------------------------------------------------

Why is College Club the largest and fastest growing college student site?
Find out for yourself at http://www.collegeclub.com

Re: question on DBIx::Recordset PrevNextForm

Posted by Gerald Richter <ri...@ecos.de>.

> Is there any way to hide the form data that the DBIx::Recordset
> PrevNextForm function generates?  i just noticed that if someone does a
> "view source," the user can view your db connection, username, password,
> etc.  That doesn't seem very secure even though this is a pretty cool
> subroutine to have.  I'm using embed perl to handle these request so
> perhaps there might be another mechanism that works with DBIx::Recordset
> that does the same thing without having to write that kind of sensitive
> information as hidden fields?  Thanks
>

Normaly there are no sensitive data in hidden fields. The hidden fields only
contain the data, you send to the page. That means when you request the page
with a link http://host/db.epl?username=foo&password=secret you will find
the username and the password in the hidden fields, but that's not the fault
of DBIx::Recordset. More exactly, DBIx::Recordset uses the values from
%fdat, so if you add your username and your password to %fdat, they will
also apear in the hidden fields. In this case either delete them from %fdat,
before you call PrevNextForm or better never put them in.

Gerald


-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925151
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------