Talk:A Simple RESTful Service

From DataFlex Wiki
Revision as of 13:11, 7 August 2019 by Mikepeat (talk | contribs) (Copying Wil's comments to the split-up version)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Details on the security issue in the example code

The example code A simple API has a function UpdateCustomerFromJson which is used to update the customer table directly from json.

It is a great example of what can be done and as it is an example, it is important to keep the code brief and easy to read. However as it enumerates fields from the json for finding columns in your table via field_map it displays a dangerous practice that should _not_ be used in live code.

You should realize that a malicious user with the ability to change the json thanks to the column matching logic can change other columns in that same table.

Columns not intended to be updated via the REST API are suddenly open for change as well.

Wil (talk) 10:32, 27 July 2019 (UTC)Wil