Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to bypass url parameters?

 
Kameswari Jyosyula
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to give a link to a crystal report in my jsp file.The crystal report accesses a database.Hence in my url i am passing the username and password for the database.(different from the user loign)ex: http://myurl.com?user0=myuser&password0=mypwd
I don't want the user to see this.Is there any other way of passing this data(say put them in cfg file and call them in this url). like user0=mybean etc
If not is there any way of disabling the user from seeing the userid and password?(both when the user points the mouse on the link and when the view source is selected from the browser menu)
TIA
 
sanj singh
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
try setting them as attributes of the session
 
DAYANAND BURAMSHETTY
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I think U R using get method(<form method=get> )that'swhy
U see the userid and password.U'll use post method then
U can't see the userid and password.
<form method=post action="">
....
If I'm wrong ..correct me
 
Randall Twede
Ranch Hand
Posts: 4444
3
Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i agree the problem is you are doing a "get" rather than a "post"
get passes parameters in the url post passes them in the body of the request
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18226
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I VERY STRONGLY urge you NOT to pass user IDs and passwords to the client system. There are any number of simple tools out there (including the "view source" browser option) that can be used to find out what they are and cause mischief. You're better off keeping these items as session variables so that they never leave the server.
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim:
I agree with you 100 %. Also, if you have observed something here...
my url i am passing the username and password for the database
I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?
(Technically speaking, not that I would attempt it.... )
- satya
 
Kameswari Jyosyula
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
right guys,
i share ur concern regd the client being able to access the db.So what we did is a sort of workaround - we created a db with guest as user and pwd and and gve that user very limited privileges and also the new db has nothing sensitive.thus avoided the userid and pwd of the db itself.ofcourse we are using the post method
thanks
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ofcourse we are using the post method
FYI...
still there is a possibility of looking up
the uname and passwd if you are sending it
to the client say view source. Even
Hidden fields can be seen.
regds.
- satya
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18226
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?"
Once you know the username and password, you can do anything you want in any language you want! Sure jdbc applets get constrained by the Java sandbox, firewalls may intervene, the userID might have read-only privileges, but these are just details.
Actually, if the userID and password were really a special limited account just for the web browser, I'd just hard-code them into the JSP/Servlet and never send them out or store them at all! Why bother if the actual user's ID is immaterial?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic