Talk:A Simple RESTful Service: Difference between revisions
From DataFlex Wiki
Jump to navigationJump to search
Copying Wil's comments to the split-up version |
m Mikepeat moved page Talk:A Simple RESTFul Service to Talk:A Simple RESTful Service without leaving a redirect: Typo |
(No difference)
|
Latest revision as of 13:14, 7 August 2019
Details on the security issue in the example code
The example code A simple API has a function UpdateCustomerFromJson which is used to update the customer table directly from json.
It is a great example of what can be done and as it is an example, it is important to keep the code brief and easy to read. However as it enumerates fields from the json for finding columns in your table via field_map it displays a dangerous practice that should _not_ be used in live code.
You should realize that a malicious user with the ability to change the json thanks to the column matching logic can change other columns in that same table.
Columns not intended to be updated via the REST API are suddenly open for change as well.