O'Reilly has made a *lot* of good decisions over time. If Tim O'Reilly thinks selling off his software products is a sound business decision, he's probably right! I wouldn't even think of second guessing him.
Somehow I suspect the article must be incorrect on this point. Seems to me the server side simply isn't validating input via a POST or GET method. If what you (and the article) suggest is correct, and people are actually publishing altered web pages to the server, then that is a HUGE oversight. Not only would it be inexcusable for a web server to be configured in such a way that the general public can alter the pages, but the commerce apps would also have to be designed such that pricing info is being referenced directly from generated web page source. Sounds strange. I bet they're just talking about altering POST form input.
I'm shocked. You mean there are people writing commercial shopping cart systems without server side pricing checks? *ANYTHING* coming from the browser needs to be re-validated before being processed. This would certainly include pricing information. But all web based form input should be re-validated on the server side regardless of what sort of client side javascript form validation is in place. I've known this for years. Depending upon the application I'm writing and the environment in which it will be used, I sometimes cut corners and trust the client with my information. But for something dealing with real $$$ this sort of programming is inexcusable.
Slashdot Mirror
O'Reilly has made a *lot* of good decisions over time. If Tim O'Reilly thinks selling off his software products is a sound business decision, he's probably right! I wouldn't even think of second guessing him.
Somehow I suspect the article must be incorrect on this point. Seems to me the server side simply isn't validating input via a POST or GET method. If what you (and the article) suggest is correct, and people are actually publishing altered web pages to the server, then that is a HUGE oversight. Not only would it be inexcusable for a web server to be configured in such a way that the general public can alter the pages, but the commerce apps would also have to be designed such that pricing info is being referenced directly from generated web page source. Sounds strange. I bet they're just talking about altering POST form input.
I'm shocked. You mean there are people writing commercial shopping cart systems without server side pricing checks? *ANYTHING* coming from the browser needs to be re-validated before being processed. This would certainly include pricing information. But all web based form input should be re-validated on the server side regardless of what sort of client side javascript form validation is in place. I've known this for years. Depending upon the application I'm writing and the environment in which it will be used, I sometimes cut corners and trust the client with my information. But for something dealing with real $$$ this sort of programming is inexcusable.