Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] Preventing SQL Injection Error in Reporting Object

Read-Only Read-Only Topic
Go
Search
Notify
Tools
[SOLVED] Preventing SQL Injection Error in Reporting Object
 Login/Join
 
Platinum Member
posted
Everyone,

I have a reporting object in a collaborative portal. The reporting object
uses DEFAULTH and five dynamic parameters, all of which pull from a list of available values found only in my .mas file. The parameters include QUOTEDSTRING in them. In prior versions of WebFocus, a separate validation fex include the DEFAULTH and quotedstring.

My question is this: How do I prevent a SQL injection error in which users could potentially insert some text and see more records than they are supposed to see?

I looked a post from Dec. 4, 2013 (referenced below), and I think it might be the right direction, but since it was so long ago, I thought I'd ask the question anew. Here is the post I looked at:

[SOLVED] Different HTML - Same *.fex - Dynamic where

This message has been edited. Last edited by: FP Mod Chuck,


WebFocus 8.2.04
WebFocus 8.2.04

 
Posts: 191 | Registered: September 18, 2015Report This Post
Virtuoso
posted Hide Post
Could you use ACCEPT= in the master files? See page 194 of this doc: https://webfocusinfocenter.inf...fs6/wf8206ddlang.pdf


WebFOCUS 8206, Unix, Windows
 
Posts: 1853 | Location: New York City | Registered: December 30, 2015Report This Post
Platinum Member
posted Hide Post
I'm not sure. It's not something we've tried previously.

So, to provide a little more information, my portal is a public-facing portal. It's important we get this right.

As mentioned previously, in past versions, we had a separate validation fex that checked any parameters we used anywhere in our portal. We kept adding to it as we established new parameters.

I reviewed the documentation about ACCEPT, but I must admit it's not entirely clear to me.

Has anyone done anything like this previously? If so, how does it work? Does using ACCEPT in the mas file (synonym) eliminate the need for a separate validation fex?


WebFocus 8.2.04
WebFocus 8.2.04

 
Posts: 191 | Registered: September 18, 2015Report This Post
Guru
posted Hide Post
Have you considered using DBA row-level security? We have a public-facing portal too, and various customers run the same reports. We use row-level security so one customer can't see another customer's data, even if they select ALL records on a report. Works great.


Webfocus 8
Windows, Linux
 
Posts: 258 | Location: Palm Coast, FL | Registered: February 05, 2010Report This Post
Platinum Member
posted Hide Post
Row-level security would make sense if the portal were set up in a different way. I really need to understand how to use the ACCEPT method as I think it's probably the best way to proceed.


WebFocus 8.2.04
WebFocus 8.2.04

 
Posts: 191 | Registered: September 18, 2015Report This Post
Virtuoso
posted Hide Post
Does the list of values change with each user or is it a static list that's enforced so no other values are allowed? The former is a little more complicated than the latter. Either way, ACCEPT= will help you enforce what you will allow as values displayed on a selection.

A very simple test is this: Edit ibisamp/car.mas to add an ACCEPT= to the COUNTRY. It'll look something like this:
 FIELDNAME=COUNTRY, ALIAS=COUNTRY, USAGE=A10, FIELDTYPE=I,
      ACCEPT='ENGLAND' OR 'CHINA', $
 

Then create a simple report like this to test how the autoprompt will behave:
  
TABLE FILE ibisamp/car
SUM DEALER_COST
BY COUNTRY
BY CAR
BY MODEL
WHERE COUNTRY EQ &COUNTRY.(FIND COUNTRY IN IBISAMP/CAR |FORMAT=A10,SORT=ASCENDING,REQUIRED=TRUE).COUNTRY.QUOTEDSTRING;
ON TABLE PCHOLD FORMAT HTML
END


When you run this report, you'll get prompted for only ENGLAND and CHINA.

The ACCEPT=SYNONYM will allow you to do the same thing by creating a table described by a SYNONYM that contains a list of values. The idea being that you store your acceptable values in a much smaller table and your drop down will populate much faster by going through 5 or 10 unique values and the user can't pick anything other than those values in the table described by the synonym.

This message has been edited. Last edited by: BabakNYC,


WebFOCUS 8206, Unix, Windows
 
Posts: 1853 | Location: New York City | Registered: December 30, 2015Report This Post
Platinum Member
posted Hide Post
The list of values does not change with each user. All users have access to the same list of values. In other words, each filter is a static list that is enforced so no other values are allowed.


WebFocus 8.2.04
WebFocus 8.2.04

 
Posts: 191 | Registered: September 18, 2015Report This Post
Virtuoso
posted Hide Post
Then I suggest you use ACCEPT=SYNONYM. Create an LOV table in your database and use that for the acceptable list of values. It's more efficient and less coding. The LOV table can also be updated and maintained more efficiently when it changes and will always display the correct values when users get prompted.


WebFOCUS 8206, Unix, Windows
 
Posts: 1853 | Location: New York City | Registered: December 30, 2015Report This Post
Platinum Member
posted Hide Post
I got the CAR to work out appropriately, and I understand the concept of creating a table of lookup values. It makes sense, and it seems it would be efficient, less coding involved and easier to maintain over time.

So, I'll try the technique you suggest and see if I run into any difficulties.


WebFocus 8.2.04
WebFocus 8.2.04

 
Posts: 191 | Registered: September 18, 2015Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] Preventing SQL Injection Error in Reporting Object

Copyright © 1996-2020 Information Builders