Encryption of Form Parameters
This
feature allows the values that are passed into a form as parameters to be
secured by adding an additional encrypted field. For example, to pass a
customer id into a form, you might build a URL as follows.
www.yourdomain.com/ebase/CustomerMaintenance.eb?CUSTOMER_ID=34567123
This might
be passed to an end user in an email message, or invoked from a menu system as
a URL. In either case, it is important that the value of customer id cannot be changed
so the end user can only display and maintain their own details and cannot view
or change another customer's details.
This is
achieved in Ebase Xi by declaring that the CUSTOMER_ID is an encrypted
parameter. (Encryption is an option in the field properties dialog.) The URL is
then constructed using an additional parameter CUSTOMER_ID_ACCESSKEY:
www.yourdomain.com/ebase/CustomerMaintenance.eb?CUSTOMER_ID=34567123&CUSTOMER_ID_ACCESSKEY=0sdfsdf7543
The name of the additional parameter is the parameter field
name plus _ACCESSKEY. To use encrypted parameters you must generate this
additional parameter and the encrypted value. The example below shows passing
control to a different form with an encrypted customer id parameter:
FPL: |
API based language
(Javascript): |
// Use the getufskey() function to encrypt the value set
ENCRYPTED_VALUE = getufskey(tostring(CUSTID)); goto form ACCESS_TEST2 CUSTOMER_ID =CUSTID,
CUSTOMER_ID_ACCESSKEY= ENCRYPTED_VALUE; |
var encryptedValue =
EncryptionServices.encrypt(fields.CUSTID.value); var parms = {}; parms.CUSTOMER_ID = fields.CUSTID.value; parms.CUSTOMER_ID_ACCESSKEY = encryptedValue; form.gotoForm("ACCESS_TEST2", parms); |
When a form with an encrypted parameter is started, the system
checks that the encrypted parameter (i.e. the field name plus _ACCESSKEY)
exists and that the value is correct. If this check fails, an error is
displayed to the end user. By default this error will be:
"A security error has
occurred"
This message can be changed if required by changing system texts 300 and 310. These texts correspond to
XXX_ACCESSKEY not found, and encryption comparison failed, respectively.