I made a 2 minute video that I think every A5 web developer should watch. Not because I made it, but because it brings home a serious issue that all developers have to always be concerned with - security and data isolation.
The case is that I have (and still have) some function within one of my web applications that causes the Users table index to become out of sync with the database. I can't find it, and I think it may be due to the hardware configuration my client is using. But the point is, it becomes corrupt, and, even though only twice in six months, that had a disastrous effect on client confidence.
Because it was corrupt, and because of how I used to assign User table variables to session variables, I was getting the wrong record information from the Users table. The result was UserA was viewing UserB's confidential information.
The syntax I was using is (I want the CompanyID, which I use to filter records):
The general syntax I now use is:
The first method uses the index which, if corrupt blows everything. The second does not use an index at all.
But there is more you can do to ensure safety and to provide good customer service (which is second only to security). That's what I try to show in the video. Here is the address: http://alphatogo.com/video/login_failsafe_demo.htm
I did not include the code in the video, but will send it to anyone who asks (I won't post it on the board). It includes a "double-checking" routine provided by Jerry that confirms I received back the record I expected.
The case is that I have (and still have) some function within one of my web applications that causes the Users table index to become out of sync with the database. I can't find it, and I think it may be due to the hardware configuration my client is using. But the point is, it becomes corrupt, and, even though only twice in six months, that had a disastrous effect on client confidence.
Because it was corrupt, and because of how I used to assign User table variables to session variables, I was getting the wrong record information from the Users table. The result was UserA was viewing UserB's confidential information.
The syntax I was using is (I want the CompanyID, which I use to filter records):
Code:
lookupc("F",session.__protected__ulink,"CompanyID","[PathAlias.ADB_Path]\web_users.dbf","ID")
Code:
table.external_record_content_get("[PathAlias.ADB_Path]\web_users.dbf","CompanyID","","id=\""+session.__protected__ulink+"\"")
But there is more you can do to ensure safety and to provide good customer service (which is second only to security). That's what I try to show in the video. Here is the address: http://alphatogo.com/video/login_failsafe_demo.htm
I did not include the code in the video, but will send it to anyone who asks (I won't post it on the board). It includes a "double-checking" routine provided by Jerry that confirms I received back the record I expected.
Comment