Subject | multiple search criteria raises security problem |
---|---|
Author | Andreas Pohl |
Post date | 2002-10-21T13:31:57Z |
As Helen mentioned it is possible to use multiple search criterias in IBO's
visual controls like TIB_SearchPanel. But it is raising a security hole:
Lets say there is a underlying sql query like
select * from table where nr<100
So you'll expect that user will never see datasets with nr>100. But if he's
smart enough to write in search mode in any bounded IBO control for nr
"1 or nr>1"
then he will see all and it's easy to bypass all hardcoded restrictions.
There should be a possibility to avoid that. Or do I miss sth.?
Mit freundlichem Gruss & Best Regards
Andreas Pohl
ibp consult
visual controls like TIB_SearchPanel. But it is raising a security hole:
Lets say there is a underlying sql query like
select * from table where nr<100
So you'll expect that user will never see datasets with nr>100. But if he's
smart enough to write in search mode in any bounded IBO control for nr
"1 or nr>1"
then he will see all and it's easy to bypass all hardcoded restrictions.
There should be a possibility to avoid that. Or do I miss sth.?
Mit freundlichem Gruss & Best Regards
Andreas Pohl
ibp consult