I am trying to give a link to a crystal report in my jsp file.The crystal report accesses a database.Hence in my url i am passing the username and password for the database.(different from the user loign)ex: http://myurl.com?user0=myuser&password0=mypwd I don't want the user to see this.Is there any other way of passing this data(say put them in cfg file and call them in this url). like user0=mybean etc If not is there any way of disabling the user from seeing the userid and password?(both when the user points the mouse on the link and when the view source is selected from the browser menu) TIA
Hi, I think U R using get method(<form method=get> )that'swhy U see the userid and password.U'll use post method then U can't see the userid and password. <form method=post action=""> .... If I'm wrong ..correct me
I VERY STRONGLY urge you NOT to pass user IDs and passwords to the client system. There are any number of simple tools out there (including the "view source" browser option) that can be used to find out what they are and cause mischief. You're better off keeping these items as session variables so that they never leave the server.
An IDE is no substitute for an Intelligent Developer.
Tim: I agree with you 100 %. Also, if you have observed something here... my url i am passing the username and password for the database I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB. Am I right? (Technically speaking, not that I would attempt it.... ) - satya
right guys, i share ur concern regd the client being able to access the db.So what we did is a sort of workaround - we created a db with guest as user and pwd and and gve that user very limited privileges and also the new db has nothing sensitive.thus avoided the userid and pwd of the db itself.ofcourse we are using the post method thanks
Joined: Jun 03, 2000
ofcourse we are using the post method FYI... still there is a possibility of looking up the uname and passwd if you are sending it to the client say view source. Even Hidden fields can be seen. regds. - satya
"I maybe guessing, but once these are known, I think it would also be possible to write a JDBC program to access the DB. Am I right?" Once you know the username and password, you can do anything you want in any language you want! Sure jdbc applets get constrained by the Java sandbox, firewalls may intervene, the userID might have read-only privileges, but these are just details. Actually, if the userID and password were really a special limited account just for the web browser, I'd just hard-code them into the JSP/Servlet and never send them out or store them at all! Why bother if the actual user's ID is immaterial?