Encryption of Form Parameters

 

Documentation home

 

This feature allows the values that are passed into a form as parameters to be secured by adding an additional encrypted field. For example, to pass a customer id into a form, you might build a URL as follows.

 

www.yourdomain.com/ebase/CustomerMaintenance.eb?CUSTOMER_ID=34567123

 

This might be passed to an end user in an email message, or invoked from a menu system as a URL. In either case, it is important that the value of customer id cannot be changed so the end user can only display and maintain their own details and cannot view or change another customer's details.

 

This is achieved in Ebase Xi by declaring that the CUSTOMER_ID is an encrypted parameter. (Encryption is an option in the field properties dialog.) The URL is then constructed using an additional parameter CUSTOMER_ID_ACCESSKEY:

 

www.yourdomain.com/ebase/CustomerMaintenance.eb?CUSTOMER_ID=34567123&CUSTOMER_ID_ACCESSKEY=0sdfsdf7543

 

The name of the additional parameter is the parameter field name plus _ACCESSKEY. To use encrypted parameters you must generate this additional parameter and the encrypted value. The example below shows passing control to a different form with an encrypted customer id parameter:

 

FPL:

API based language (Javascript):

 

// Use the getufskey() function to encrypt the value

set ENCRYPTED_VALUE = getufskey(tostring(CUSTID));

goto form ACCESS_TEST2 CUSTOMER_ID =CUSTID, CUSTOMER_ID_ACCESSKEY= ENCRYPTED_VALUE;

 

 

var encryptedValue = EncryptionServices.encrypt(fields.CUSTID.value);

var parms = {};

parms.CUSTOMER_ID = fields.CUSTID.value;

parms.CUSTOMER_ID_ACCESSKEY = encryptedValue;

form.gotoForm("ACCESS_TEST2", parms);

 

 

 

When a form with an encrypted parameter is started, the system checks that the encrypted parameter (i.e. the field name plus _ACCESSKEY) exists and that the value is correct. If this check fails, an error is displayed to the end user. By default this error will be:

 

"A security error has occurred"

 

This message can be changed if required by changing system texts 300 and 310. These texts correspond to XXX_ACCESSKEY not found, and encryption comparison failed, respectively.