Safe eval?
Philipp Lenssen
lenssen at hitnet.rwth-aachen.de
Wed Apr 17 03:18:43 EDT 2002
"Ian Bicking" <ianb at colorstudy.com> wrote in message
news:mailman.1018994014.10229.python-list at python.org...
>..
> What you should do is sign your hidden variables. That is, have a
> secret server-side key, and hash the key concatenated with the
> expression (using the md5 library, for instance). When they resubmit
> the data you can confirm that the data originated from your server by
> comparing the hash they passed you with the hash you reconstruct.
>..
That sounds very interesting. Maybe I will go that route, additional to
other security (since the original XML data stored on the server should be
relatively safe from malicious authors, too). I will have to think about how
to store the secret server-side key, since the Python interpreter is open
source and everybody can download it. It would probably be sufficient to
have a text file with a key, which cannot be downloaded (achieving that
easily on every server might become another problem), and the key will have
to be changed by everyone once they put it up on their servers (it should
not have to be changed regularly since I'd lose the feauture of the client
being able to save the page and continue the game any time later). Thanks!
More information about the Python-list
mailing list