This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Web Server - Ask For Help / Re: Emulating the Accounts example 31 Records not displaying correctly
« on: September 15, 2024, 08:16:29 PM »
looks like a CSS issue. Is the page online?
(given that it's a CSS issue, and it's only an issue in the deployed server, you may want to refresh your CSS in the browser.)
(given that it's a CSS issue, and it's only an issue in the deployed server, you may want to refresh your CSS in the browser.)
2
Web Server - Ask For Help / Re: Apostraphe value in sql
« on: September 15, 2024, 08:14:56 PM »
>> Bruce how is possible SQL injection attacks with prop:sql ?
Prop:Sql passes the SQL you write straight through to the database for execution.
By contrast the drivers create "Parameterized Queries" - which separate the "code" part of the sql from the data part of the sql. Separating the code and the data means that code is code and data is data.
With prop:Sql the code and data are smooshed together. So Jason's line;
InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
Is vulnerable to manipulation of SelectedProductName.
For example, say this is coming from an entry field on the window. Then I enter;
' ; Drop Table Customers; '
This is a trivial example, but shows the root problem. Once a user can enter "any sql", well they can do anything they like to your database, and none of it is good.
Prop:Sql passes the SQL you write straight through to the database for execution.
By contrast the drivers create "Parameterized Queries" - which separate the "code" part of the sql from the data part of the sql. Separating the code and the data means that code is code and data is data.
With prop:Sql the code and data are smooshed together. So Jason's line;
InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
Is vulnerable to manipulation of SelectedProductName.
For example, say this is coming from an entry field on the window. Then I enter;
' ; Drop Table Customers; '
This is a trivial example, but shows the root problem. Once a user can enter "any sql", well they can do anything they like to your database, and none of it is good.
3
Web Server - Ask For Help / Re: Apostraphe value in sql
« on: September 13, 2024, 09:52:44 PM »
Hi Jason,
>> you want me to produce example in sql?
sure.
>> I will issue the sql query in my embed code
>> InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
See - already you are exposing detail which you haven't done before. That's the purpose of an example.
You should not be using Prop:SQL at all in your program. This is very, very bad. Using Prop:Sql will open up your program to SQL injection attacks.
Do not do it.
Equally, you don't need to be using Prop:Sql. The API's support VIEWS as a return structure, and VIEW's support filters. You should be using that.
Let me say it again - if you are using Prop:Sql in General, and with user entered data in Particular, then your web app is doomed to failure. If you do go this route please let me know the URL of your service so I can delight in dropping all your tables from the database, randomly filling your database with Spam, altering all the unit prices so I can get stuff for free, and having fun in all other kinds of ways.
>> What i am asking is if there is a nettalk method to convert single apostrophe to double apostrophe then it would be useful.
Clarion has a command QUOTE which does that.
Cheers
Bruce
>> you want me to produce example in sql?
sure.
>> I will issue the sql query in my embed code
>> InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
See - already you are exposing detail which you haven't done before. That's the purpose of an example.
You should not be using Prop:SQL at all in your program. This is very, very bad. Using Prop:Sql will open up your program to SQL injection attacks.
Do not do it.
Equally, you don't need to be using Prop:Sql. The API's support VIEWS as a return structure, and VIEW's support filters. You should be using that.
Let me say it again - if you are using Prop:Sql in General, and with user entered data in Particular, then your web app is doomed to failure. If you do go this route please let me know the URL of your service so I can delight in dropping all your tables from the database, randomly filling your database with Spam, altering all the unit prices so I can get stuff for free, and having fun in all other kinds of ways.
>> What i am asking is if there is a nettalk method to convert single apostrophe to double apostrophe then it would be useful.
Clarion has a command QUOTE which does that.
Cheers
Bruce
4
Web Server - Ask For Help / Re: WebWebServiceMethod Raw request data
« on: September 09, 2024, 10:43:22 PM »
p_web.RequestData
5
Web Server - Ask For Help / Re: Sec:Level - Multiple Ranges?
« on: September 09, 2024, 10:42:07 PM »Hi,
I want to have multiple security level ranges - one for user - e.g. sec:level = 100 -199 and ANOTHER for Administrators Sec:Level 995-999.
If possible then How?
where?
6
Web Server - Ask For Help / Re: Apostraphe value in sql
« on: September 09, 2024, 10:40:33 PM »
reproduce in an example app, and post that here.
7
Web Server - Ask For Help / Re: Browse with locator, return position after clicking "Other" type button
« on: August 28, 2024, 04:05:45 AM »
best to make, and post, an example Gordon.
8
Web Server - Ask For Help / Re: Slow to Close
« on: August 28, 2024, 03:38:30 AM »
You're right Vinnie!
The state is now stored as JSON - that changed from XML at some point.
Settings are still XML, but that's a different file.
cheers
Bruce
The state is now stored as JSON - that changed from XML at some point.
Settings are still XML, but that's a different file.
cheers
Bruce
9
Web Server - Ask For Help / Re: Media field type question, part 4
« on: August 26, 2024, 07:17:21 PM »
no ideas Jeff
10
Web Server - Ask For Help / Re: Strange behaviour of NetEncryptString and NetDecryptString
« on: August 26, 2024, 07:16:32 PM »
I suspect you are not getting the len quite right.
First, I'm assuming all these are strings, not cstrings. (You can't use cstrings for binary values, and encrypted strings are binary values.)
second, len(string) returns declared length of the string, not clipped length. (And you can't clip because the encrypted password might end in chr(32).
So you need to track, and store, the length of encrypted fields. OR have a fixed-length string with a fixed length (including trailing spaces).
First, I'm assuming all these are strings, not cstrings. (You can't use cstrings for binary values, and encrypted strings are binary values.)
second, len(string) returns declared length of the string, not clipped length. (And you can't clip because the encrypted password might end in chr(32).
So you need to track, and store, the length of encrypted fields. OR have a fixed-length string with a fixed length (including trailing spaces).
11
Web Server - Ask For Help / Re: Performance NetWebForm
« on: August 26, 2024, 07:13:42 PM »
does the example work?
12
Web Server - Ask For Help / Re: Slow to Close
« on: August 26, 2024, 07:13:00 PM »
Vinnie is on the right track here, but there are few details wrong;
If "Save state between runs" is set then all the session data is saved to a state file on close.
This can take time depending o how much there is.
(the file is XML not json).
This is unrelated to graceful close.
Even if the server has only run for a short time there can be a lot of state information, if the state was loaded on startup. So check the size of your state file.
Graceful close completes all active threads before terminating the program. As distinct from a hard close which simply terminates all threads wherever they happen to be.
Bruce
If "Save state between runs" is set then all the session data is saved to a state file on close.
This can take time depending o how much there is.
(the file is XML not json).
This is unrelated to graceful close.
Even if the server has only run for a short time there can be a lot of state information, if the state was loaded on startup. So check the size of your state file.
Graceful close completes all active threads before terminating the program. As distinct from a hard close which simply terminates all threads wherever they happen to be.
Bruce
13
Web Server - Ask For Help / Re: Media field type question, part 3
« on: August 22, 2024, 06:29:14 PM »
Hi Jeff,
I don't know. You can google to find out I guess?
Given your success in figuring out the last couple threads I'm hopeful you'll figure this one out too
Cheers
Bruce
I don't know. You can google to find out I guess?
Given your success in figuring out the last couple threads I'm hopeful you'll figure this one out too
Cheers
Bruce
14
Web Server - Ask For Help / Re: Performance NetWebForm
« on: August 22, 2024, 06:26:26 PM »
It's in the Calc example.
15
Web Server - Ask For Help / Re: Why can't I click Display item to go to popup?
« on: July 30, 2024, 06:18:47 AM »
popups and fixed URLS are _very_ different animals.
You'd need to post an example though so I can see what you are doing.
Cheers
Bruce
You'd need to post an example though so I can see what you are doing.
Cheers
Bruce