6 Apr
2000
6 Apr
'00
5:35 a.m.
On Wed, 05 Apr 2000, you wrote:
a.wacknitz@francotyp.com wrote:
But isn't this a security hole? I don't want a user who guesses the name of the method to call the method with arbitrary parameters and do things he is not supposed to do... If you have your DTML accessible to anon users then sure ,anybody can for instance view the form source and use http module to execute your scripts. If you set the right permissions only for valid users then you are better off. As a thumb rule it is always good to add authorisation check and other logic to all scripts that update a db.
########################## necessity is the mother of invention ##########################