Messages
Reply
Edit
Delete10:04 am
3SF0LM0GA
| From: | San2013 |
| To: | Brett Baggott |
"OWASP TOP 10" - it is a good list and I am going to use it. Thanks!
:) It wasn't your intention but your argument is actually for "automated record creation/editing"; not against it.
If I have 50+ pages where data can be inserted/modified by the users, then what is more secure?
A) Handling each page separately -> 50+ separate pieces of procedures, htmls, etc.
or
B) Having a centralized place to handle all 50+ pages with data.
It seems to me that Solution B has a higher potential to be secure. With Solution B, it is simply easier to implement all security validations, rules, changes etc.
[[i.e. code you don't really understand]]
If I understand security, then I know I have to check the generated code and I have to test it.
If I don't understand security, then I still may be better off with automatically generated code.
I am going to automate the code anyway. :) I would feel safer if the automation came from West-Wind/Rick Stahl (professionals), than from me, a noob.
Sam2013
Here's 10 good reasons why doing "automated record creation/editing" via generated code (i.e. code you don't really understand) is a bad idea:
Open Web Application Security Project - Top 10 Threats and Vulnerabilities
I'm not trying to be flippant here but it is _important_ to have a very good understanding of the HTML/CSS/etc. for sites that are "data driven". I'm not trying to be elitist here either.
Rick,
1st of all, thanks for the quick answer.
What can I say? I am disappointed with the answer. As a VFP programmer, I was hoping for more VFP and less HTML/CSS in WebConnection; more automation/RAD. I know you cannot make 100% of developers happy, but 30%, 50%, or 80% might be happy with a generic tool/class/function. I am talking here about very basic functionality for a data-driven website. I wouldn't need WebConnection for a static website with just a few data entry fields.
BTW, [[The problem with those kinds of things is that everyone then wants a million little enhancements to do this or that a little different and it's just too much of a hassle to maintain this]] this is a problem with everything! This is why you provide basic classes/code which developers can customize.
Thanks again,
San2013
No we don't have a template tool that automatically provides record viewing and browsing.
The problem with those kinds of things is that everyone then wants a million little enhancements to do this or that a little different and it's just too much of a hassle to maintain this, so this feature which we previously had roughly as part of wwShowCursor has been deprecated.
+++ Rick ---
Hi,
I have many tables (20+) in my project. The users will create and edit data in those tables through a website.
I could use something looking like the Sample Guest Book, but simpler, working with a single record at the time.
Does WebConnection have a tool/class/function to automatically generate HTML code to create/edit a single record in a table?
Input parameters would be:
- cursor/table record, object or a set of memory variables representing a single record,
- field captions,
- field descriptions,
- field types and sizes (text, numeric, date, time, date and time, boolean...)
- simple validation rules (required, range...)
- default value.
I see that the Guest Book is done through a template. It is not extremely complex, but not trivial either. I could imagine a WebConnection tool/class/function generating a generic HTML code for me. Does something like this exist?
I am new to Web Connection, so sorry if the above doesn't make sense,
San2013