Announcement

Collapse
No announcement yet.

Best way to pass parameters

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Giu View Post
    Can you explain what security problems you see?
    With the global variable construct, any code can use the data stored in the variable any way it wants regardless of scope or reason. Access rules can be broken and the data can be invalidated by a reckless write. Unverified access means untrustworthy data. If I'm working on a business intelligence app this can be a problem because I need that all the data are "sure"...

    Comment


    • #17
      Originally posted by aducom View Post
      SC is over 10 years old and it needs freshing up here and there. I guess they don't want the risk of breaking code. Not in their own code, nor in the generated code. But your explanation makes sence. In certain situations you will see that changing a global variable does not update the data in the source application and that you need to refresh. I use the sc_redir with the passed variables then. I found that strange, but over time you get use to it and you simply do it that way and don't think about it again. David has a point there.

      I know that updating the code will sure origin a not-consistence in app, but I think that in 2015 some behavior are unacceptable... the massive use of iframe, the massive use of global vars, the lack of HTML5/CSS3 and responsivity in template... Also the not "open source" policy is a problem for me... In Italian Public Administrations we are abandoning the actual infrastructure because is not open-source... but in our structure there are a lot of not-programmers coming from oracle forms... needing to migrate them in the "new age", scriptcase is a good way... It generate php and work on apache (also if we still use oracle db in our projects), but if I want to correct a bug or extend something there are a lot of limit (the lack of third party plugin is also a limit thet, if removed, can surely expand the possible users of scriptcase)
      Saying this I don't want criticize scriptcase, the product, with his limits, have a lot of good points... but it need just an "improvement"... because it is sure valid but it can become better...

      Comment


      • #18
        Yes, I recognize the open source discussion, we have that here too. But that said, I have loads of samples which causes open source project to be overpriced compared to commercial apps. If you use open source, you need to have the intention to put some time into it to improve, and most users of these apps are just consuming. On problems they simply have to wait for fixed out of the community, there's no company who can be addressed.

        I don't mind that SC is closed source, but I would welcome if the templates used for generating code would be more open so that the community would be able to fix issues. We have found issues from the generated code, applied fixes to SC and found that they did not use the code but solved it a different (and in our case bad) way. They have a small team,any help would be helpful IMHO.

        But you cannot completely redesign an application over 10 years old. Responsive design, css3, html5, are all new developments and it will take time to integrate that into SC. I know that they are working on that, but if you don't want to break code you have a problem. You don't have happy users if you break the code and users must fully redo their application.

        Regarding security, I see it different than you. Any code can use... well you are the designer and you are responsable for the code on the server. It's only a problem when things get hacked, but then again you have other issues at hand. If needed you can put the code through NuSpheres or Zends obfuscator the code will even run faster too. I don't see the danger of having IFrames, lots of globals etc. But that doesn't mean that I wouldn't love to see divs in stead of iframes and another way of dealing globals.
        Last edited by aducom; 01-28-2015, 07:02 AM.
        Albert Drent
        aducom software netherlands
        scriptcase partner, reseller, support and (turn-key) development
        www.scriptcase.eu / www.scriptcase.nl

        Comment


        • #19
          Originally posted by aducom View Post
          Regarding security, I see it different than you. Any code can use... well you are the designer and you are responsable for the code on the server.
          If You work in a structur with 100 developer, with a lot of external source, this IS a big problem...

          Originally posted by aducom View Post
          I don't see the danger of having IFrames, lots of globals etc. But that doesn't mean that I wouldn't love to see divs in stead of iframes and another way of dealing globals.
          If You must respect accessibility in Your apps, iframes ARE a big problem...

          Comment


          • #20
            Originally posted by insecta View Post
            If You work in a structur with 100 developer, with a lot of external source, this IS a big problem...
            But SriptCase is not a tool for a structure of 100 devs. A structure of 100 devs doesn't needs a RAD, and any RAD fits on this structure.


            If You must respect accessibility in Your apps, iframes ARE a big problem...
            You are right here. Maybe on V9, who knows.
            /Giuseppe

            Professional Scriptcase Services
            Some Customers opinions

            Comment


            • #21
              Originally posted by Giu View Post
              But SriptCase is not a tool for a structure of 100 devs. A structure of 100 devs doesn't needs a RAD, and any RAD fits on this structure.
              You are right here. Maybe on V9, who knows.
              In a structure of 100 devs itīs virtually impossible to control the quality of coding. Every chain is as strong as the weakest link. invulnerabilities are found in almost every product, even in the most popular CMSīs. Using a generator could be an advantages as you have sight on the weak points. But to the end/user. I donīt know. I still donīt see that as a security risk.
              Albert Drent
              aducom software netherlands
              scriptcase partner, reseller, support and (turn-key) development
              www.scriptcase.eu / www.scriptcase.nl

              Comment


              • #22
                Originally posted by Giu View Post
                But SriptCase is not a tool for a structure of 100 devs. A structure of 100 devs doesn't needs a RAD, and any RAD fits on this structure.
                I know this... but if in this structure there are 99 developer that know only PLSQL and Oracle forms and 1 that know php, and if they prohibit you to write code (almost impossible also with scriptcase, but near) and use framework, scriptcase is the right tool...

                Comment


                • #23
                  Apropos global variables ... I'am use that only in this way:

                  Code:
                  ...
                  $_SESSION['app']['clipboard'] = ""; // http://kis.office.mydomain.de/kis/ablage/
                  $_SESSION['app']['d3_scan']   = ""; // http://kis.office.mydomain.de/kis/ablage/D3_scan/
                  
                  
                  $_SESSION['user']['id'] = 0;
                  ...
                  In my apps then so:

                  Code:
                  $user_id = $_SESSION['user']['id'];
                  
                  if ($user_id > 0) 
                  ...
                  I have no problems with it that apps do not know the content of the session variable.
                  Best regards: - Reinhard -

                  I use ScriptCase 8 Enterprise Edition, Version 8.(latest)

                  Comment


                  • #24
                    If you are so afraid of hacking your should add a global variable that (for example) holds the concatenated string of the global/get variables you want to protect in an encrypted string. Then when you enter the form simply check the variables with the encrypted string and you are done. If someone hacks an input variable then the encrypted string is no longer correct and you can immediately jump to some screen with an alert or send a mail or whatever.
                    I think only takes a few lines of code for each form.

                    Comment

                    Working...
                    X