Hi Ronald,

/*
You can not create a database this way. This is not thread safe. You need to read this:

https://www.elevatesoft.com/manual?action=viewtopic&id=dbisam4&product=delphi&version=5&topic=multi_threaded_applications

In my apps I have set name of the database encrypted in the query that I give to the customer so the client know which database to use. In the actual call to the server the name is visible of course, but that is not a securityissue because you need to be authenticated before you can
*/

Thanks for the reference and pointers. These will be useful when I try it again.

--
Frederick

Frederick,

<< It is from the client side. If you are saying that the web module needs to be written so that the data from a different database is passed back to the EWB client, it is going to be a huge job with the 64 datasets I have currently

If it is simpler, examples would be appreciated. >>

One of the parameters that is included with every database request is the "database" parameter:

https://www.elevatesoft.com/manual?action=viewtopic&id=ewb2&topic=API_Reference

Given this information, you can (relatively) easily construct a web server module that allows the TEWBDatabaseAdapter.HandleRequest method to do most of the heavy lifting and just asks you for various bits of information at the correct time:

https://www.elevatesoft.com/manual?action=viewmethod&id=ewb2mod&product=rsdelphiwin32&version=10T&comp=TEWBDatabaseAdapter&method=HandleRequest

I say "relatively" because you *do* need to define all 64 of your datasets as regular TDataSet instances (TDBISAMTable/TDBISAMQuery instances if using DBISAM) on the web server module along with a TEWBDataSetAdapter instance for each, but you can also handle them programmatically if you don't want to drop that many components on the web server module.  However, apart from setting up the database/datasets, there isn't much else to do - the HandleRequest method does pretty much everything for you.

<< Don't tease us already. Release it next week! >>

I know, it's taking forever.  However, just remember that every bit of extra coding I'm doing will result in less work for yourself.

Tim Young
Elevate Software
www.elevatesoft.com

Tim,

Thanks for the reference links.

/*
I know, it's taking forever.  However, just remember that every bit of extra coding I'm doing will result in less work for yourself.
*/

That's true but I believe the value of your extraordinary work diminishes exponentially as the length of time before they are seen increases.

--
Frederick

Ronald wrote:

> cCustomerID:=Request.RequestParams.Values['customerid'];
>       LocalDatabase.Directory:='c:\datalist\db'+cCustomerID;

I hope that there is better validation than that - both at a validity level, and an account level. If I can put '../../blah' in there, then I'm anywhere on your disk, including other customers data. But given you are at the "how can I get this working at all stage", I'm sure you will add more to it later.


--

Matthew Jones

"Matthew Jones" wrote:

/*
I hope that there is better validation than that - both at a validity level, and an account level. If I can put '../../blah' in there, then I'm anywhere on your disk, including other customers data. But given you are at the "how can I get this working at all stage", I'm sure you will add more to it later.
*/

Would someone be able to decipher what is being communicated between the EWB app, EWB server and DLL even with a secure connection?

--
Frederick

Frederick Chin wrote:

> Would someone be able to decipher what is being communicated between the EWB app, EWB server and DLL even with a secure connection?

Of course. All there in full detail in the browser's debug window. Just press F12. And with that, I can make any other code look exactly the same, and try db001, db002, db003 etc. Hence the need for additional validation.

--

Matthew Jones

"Matthew Jones" wrote:
<
I hope that there is better validation than that - both at a validity level, and an account level. If I can put '../../blah' in there, then I'm anywhere on your disk, including other customers data. But given you are at the "how can I get this working at all stage", I'm sure you will add more to it later.
>
Hi Matthew,

If the user connects to the site, the server gets de name of the database from the query. Then the user must indentify himself. If he is found in the database that was sent with the query, the user gets gets a unique token that is saved in his account. In all requests after the identification this token is sent to the server (in a cookie). So on every request I check if the token exists in the user database. If the user is found and his role corresponds with his request, the request is granted.  

I have created a webservermodule that uses dbisam tables and based on the databasename, I connect my TSQLQuery to the correct directory and execute the correct sql script.

Greetings,
Ronald

Ronald wrote:

> gets gets a unique token

Sounds sensible - so long as that is a GUID or similar real complex thing rather than a simple integer or whatever.

--

Matthew Jones

"Matthew Jones" wrote:
<
Sounds sensible - so long as that is a GUID or similar real complex thing rather than a simple integer or whatever.
>
Hi Matthew,

I use this:

Result:='M'+Pad(IntToStr(DayOf(Date)),2,'0')+
           Pad(IntToStr(MonthOf(Date)),2,'0')+
           Pad(IntToStr(YearOf(Date)),4,'0')+
           Pad(IntToStr(HourOf(Time)),2,'0')+
           Pad(IntToStr(MinuteOf(Time)),2,'0')+
           Pad(IntToStr(SecondOf(Time)),2,'0')+
           Pad(IntToStr(MSecondOf(Time)),4,'0')+
           Pad(IntToStr(Random(0,9999)),4,'0')+
           Pad(IntToStr(Random(0,9999)),4,'0')+
           Pad(IntToStr(Random(0,9999)),4,'0');

Greetings,
Ronald

Frederick,

<< That's true but I believe the value of your extraordinary work diminishes exponentially as the length of time before they are seen increases. >>

Well, I can only work so much and so fast and still have a life, so there have to be trade-offs.  There just isn't a lot of money in this market anymore, so I need to support and update 3 products to maintain about 1/2 the revenue that we used to see with *1* product.  This is all out of our hands, and I just try the best as I can to do what I can without killing myself in the process.  My priority is always quality over quantity, and I know that's not a popular stance nowadays, but I cannot afford to generate more support issues for myself.

Tim Young
Elevate Software
www.elevatesoft.com