Encryption of Form Parameters
This
feature allows the values that are passed into a form as parameters to be
secured by adding an additional encrypted field. For example, to pass a
customer id into a form, you might build a URL as follows.
www.yourdomain.com/ebase/CustomerMaintenance.eb?CUSTOMER_ID=34567123
This might
be passed to an end user in an email message, or invoked from a menu system as
a URL. In either case, it is important that the value of customer id cannot be
changed so the end user can only display and maintain their own details and
cannot view or change another customer's details.
This is
achieved by declaring that the CUSTOMER_ID is an encrypted parameter. (Encryption
is an option in the field properties dialog.) The URL is then constructed using
an additional parameter CUSTOMER_ID_ACCESSKEY:
www.yourdomain.com/ebase/CustomerMaintenance.eb?CUSTOMER_ID=34567123&CUSTOMER_ID_ACCESSKEY=0sdfsdf7543
The name of the additional parameter is the parameter field
name plus _ACCESSKEY. To use encrypted parameters you must generate this
additional parameter and the encrypted value. The example below shows passing
control to a different form with an encrypted customer id parameter:
FPL: |
API based language
(Javascript): |
// Use the getufskey() function to encrypt the value set
ENCRYPTED_VALUE = getufskey(tostring(CUSTID)); goto form ACCESS_TEST2 CUSTOMER_ID =CUSTID,
CUSTOMER_ID_ACCESSKEY= ENCRYPTED_VALUE; |
var encryptedValue =
EncryptionServices.encrypt(fields.CUSTID.value); var parms = {}; parms.CUSTOMER_ID = fields.CUSTID.value; parms.CUSTOMER_ID_ACCESSKEY = encryptedValue; form.gotoForm("ACCESS_TEST2", parms); |
When a form with an encrypted parameter is started, the
system checks that the encrypted parameter (i.e. the field name plus
_ACCESSKEY) exists and that the value is correct. If this check fails, an error
is displayed to the end user. By default this error will be:
"A security error has
occurred"
This message can be changed if required by changing system texts 300 and 310. These texts correspond to
XXX_ACCESSKEY not found, and encryption comparison failed, respectively.