How timely! I've been working on this exact issue all of last week, and hope
to finish it off today. Basically, from what I see, nope, there ain't no way
to avoid passing the URL parameter in order to get a specific return from a
Crystal Reports report.
What I've done instead is the less-than-best, but better-than-nuthin'
approach of security by obscurity. I'm using MS SQL 7 (so far, Cache' is
coming...), so I created a 'view' of one of my database tables (a 'view' is
like an alias), and named it a bunch of gibberish characters. In my db
table, I have a table called "uid", which has a UUID for every record (hence
my experiment with UUIDs as seen in a separate thread).
SoOoOo, in my URL string pointing to Crystal Reports, instead of having
www.foo.com/thisreport.rpt?sf={users.id}=1
I now have:
www.foo.com/thisreport.rpt?sf={lkjcoiu208bh2xchjs.uid}=3B484C5D-2B48-028B-02
8B-02CF90A2CEA2F773
Its pretty obsucre, and will defeat casual URL noodlers. It is pretty silly,
though, that CR expects you to pass raw SQL query strings in the URL. Not to
mention, you can also pass usernames and passwords for ODBC user
authentication. How secure...
Alan McCollough
Web Programmer
Allaire Certified ColdFusion Developer
Alaska Native Medical Center
> -----Original Message-----
> From: Joseph Higgins [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, December 16, 2000 9:11 PM
> To: Fusebox
> Subject: Re: <CfReport>
>
> It may be time to upgrade. Crystal 8 is wonderful. Speaking of this OT
> thing. Does anyone have a scheme to hide the crystal reports URL request
> in
> the fusebox architecture?
>
> The URL request could look like this:
> http://www.myserver.com/fuse/index.cfm?sf={user.type}#URLEncodedFormat("=1
> ")
> #
>
> I do not want people to mess with the URL parameters. I thought about
> hiding
> it in a frames page for simple users, but it is not secure at all. Any
> suggestions?
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
