Back
Using a input whitelist for Uniface USP
This little contribution shall help you, getting the inputs from the Web in a safe and wanted scope.
Lets imagine, you want to change the entity UCKEY and the parameters returning from the web have the corresponding field names. A very easy way to aqquire those values is
and then we are finished! But this is some sort of EPIC FAIL as we enable the web to manipulate the scope of the inputs. If we only wanted the fields "UDESCR" and "U_DOC" to be edited and use the above statement, then it would be very easy to append another field as "U_TLAB" to be changed as well!
And THATS very uncool, right?!
First, we define which fields we want to use and do accept for the entity UCKEY. This is easy done in an entry:
Then, when we need to get those inputs wherever in the server page, we simply call that entry and take it's return string as the inputs:
Lets imagine, you want to change the entity UCKEY and the parameters returning from the web have the corresponding field names. A very easy way to aqquire those values is
Uniface proc code SOURCE CODE
Sorry- ... please log-in or register to get this!
and then we are finished! But this is some sort of EPIC FAIL as we enable the web to manipulate the scope of the inputs. If we only wanted the fields "UDESCR" and "U_DOC" to be edited and use the above statement, then it would be very easy to append another field as "U_TLAB" to be changed as well!
And THATS very uncool, right?!
Whitelisting solves this problem
The idea of a whitelist is obvious. WE decice, which fields we need and expect and nothing else changes this scope.First, we define which fields we want to use and do accept for the entity UCKEY. This is easy done in an entry:
entry en_whitelist_uckey SOURCE CODE
Sorry- ... please log-in or register to get this!
Then, when we need to get those inputs wherever in the server page, we simply call that entry and take it's return string as the inputs:
Uniface proc code SOURCE CODE
Sorry- ... please log-in or register to get this!
Comments