lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 5 August 2010 17:18, Chris Babcock <> wrote:
> On Thu, Aug 5, 2010 at 2:06 PM, Henk Boom <> wrote:
>> It seems that the user can change any internal variables of the
>> application by modifying the url, that seems like it could be a
>> security concern in some cases. Is there a way of preventing that?
> Like any web application, you still have to validate the user data.
> You keep your internal variables separate from the user variables and
> only load the user values into the *real* variables when they are
> inbounds. That's a fairly common source of bugs in web apps written by
> programmers whose experience is mostly on the desktop.

I agree. My concern is that every variable marked as reactive is
automatically and transparently modifiable by the user.