Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Servlets Search Coderanch
Advance search Google search
Register / Login
granny advertise on coderanch thread boost book review grid polymorphism
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
book review grid meaningless drivel thread boost building better world book advertise on coderanch
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

how to bypass url parameters?

 
Kameswari Jyosyula
Ranch Hand
Posts: 39
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
I am trying to give a link to a crystal report in my jsp file.The crystal report accesses a database.Hence in my url i am passing the username and password for the database.(different from the user loign)ex: http://myurl.com?user0=myuser&password0=mypwd
I don't want the user to see this.Is there any other way of passing this data(say put them in cfg file and call them in this url). like user0=mybean etc
If not is there any way of disabling the user from seeing the userid and password?(both when the user points the mouse on the link and when the view source is selected from the browser menu)
TIA
 
sanj singh
Ranch Hand
Posts: 129
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
try setting them as attributes of the session
 
DAYANAND BURAMSHETTY
Ranch Hand
Posts: 34
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi,
I think U R using get method(<form method=get> )that'swhy
U see the userid and password.U'll use post method then
U can't see the userid and password.
<form method=post action="">
....
If I'm wrong ..correct me

Dil se....,<BR>Dayanand<BR>0065-8839071(off)<BR>0065-7547034(Res0

 
Randall Twede
Ranch Hand
Posts: 4716
9
I like...
Scala Java
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
i agree the problem is you are doing a "get" rather than a "post"
get passes parameters in the url post passes them in the body of the request

SCJP
Visit my download page

 
Tim Holloway
Saloon Keeper
Posts: 27807
196
I like...
Android Eclipse IDE Tomcat Server Redhat Java Linux
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
I VERY STRONGLY urge you NOT to pass user IDs and passwords to the client system. There are any number of simple tools out there (including the "view source" browser option) that can be used to find out what they are and cause mischief. You're better off keeping these items as session variables so that they never leave the server.

The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.

You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.

 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator

Tim:
I agree with you 100 %. Also, if you have observed something here...
my url i am passing the username and password for the database
I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?
(Technically speaking, not that I would attempt it.... )
- satya

Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81

 
Kameswari Jyosyula
Ranch Hand
Posts: 39
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
right guys,
i share ur concern regd the client being able to access the db.So what we did is a sort of workaround - we created a db with guest as user and pwd and and gve that user very limited privileges and also the new db has nothing sensitive.thus avoided the userid and pwd of the db itself.ofcourse we are using the post method
thanks
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
ofcourse we are using the post method
FYI...
still there is a possibility of looking up
the uname and passwd if you are sending it
to the client say view source. Even
Hidden fields can be seen.
regds.
- satya

Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81

 
Tim Holloway
Saloon Keeper
Posts: 27807
196
I like...
Android Eclipse IDE Tomcat Server Redhat Java Linux
posted 22 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
"I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB.
Am I right?"
Once you know the username and password, you can do anything you want in any language you want! Sure jdbc applets get constrained by the Java sandbox, firewalls may intervene, the userID might have read-only privileges, but these are just details.
Actually, if the userID and password were really a special limited account just for the web browser, I'd just hard-code them into the JSP/Servlet and never send them out or store them at all! Why bother if the actual user's ID is immaterial?

The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.

You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.

 
Whatever you say buddy! And I believe this tiny ad too:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...