Icon View Thread

The following is the text of the current message along with any replies.
Messages 21 to 30 of 53 total
Thread How To Perform A Multi-Field Dataset Search?
Mon, Oct 5 2015 12:59 PMPermanent Link

Raul

Team Elevate Team Elevate

On 10/5/2015 10:04 AM, Frederick Chin wrote:
> What would be the best way to securely connect to a desktop computer with the EWB web server running and if the server does not have a fixed IP address?

Is the client accessing the server from the same machine or different ones ?

Without fixed IP you're going to have some problems here - do you have
any name resolution capability ? Usual solution here is to use a DNS
name (and make sure either your dhcp server or client update the dns
record).

in terms of actual TLS EWB Web server does not natively support TLS yet
so you'd need to use stunnel (number of messages in newsgroups about it).


Raul
Mon, Oct 5 2015 1:03 PMPermanent Link

Raul

Team Elevate Team Elevate

On 10/5/2015 11:51 AM, Frederick Chin wrote:
> I recently created a user login module with EWB and it took me the better part of two days of work to complete by trial and error, with constant referencing to the manual, and yet, I still have the feeling that I cobbled the module together rather than being knowledgeable, coding it.

You really should not be using dataset handling to authenticate
usernames and passwords in the first place - with javascript apps assume
ALL communication is trivial to eavesdrop on and any of your web service
calls trivial to manually run in a browser (i.e. i can just use wildcard
search in your query etc to obtain list of all your usernames/passwords
if that's how you look up auth info).

Authentication really needs to be handled on the back end - you get
username/password from user and then pass it on to back-end to get
Valid/Invalid result back (and add some protection there so one cannot
bruce force thousands of requests).

Raul

Mon, Oct 5 2015 3:13 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Frederick,

<< It does not explain what I should do to emulate the functionality of LOCATE. >>

That's because there *isn't* a Locate in EWB.  EWB's documentation is for EWB, not about every single thing that is different from Delphi.  It would take 20 times the amount of documentation already present to list everything that's different between the two products.

<< I finally managed to get the results I wanted for a multi-field search by trial and error. Even then, I am not sure if it should be done that way because there is no "official" writeup. >>

The manual specifically states in the first paragraph on searching right before the example:

"Once the dataset is in the "Find" state, you can assign values to the columns in the dataset and then call the Find method to execute the actual search."

The rest I'm going to ignore and just chalk up to frustration.  But, just keep in mind, this isn't the complaint department.  If you don't want to use EWB or don't like it, then don't use it.  These forums are for positive, constructive questions and answers for those wanting information on how to best use the product, not a bunch of back and forth bickering.

Tim Young
Elevate Software
www.elevatesoft.com
Mon, Oct 5 2015 5:09 PMPermanent Link

Jim Gallagher

Matthew Jones wrote:


<<But EWB has security built in if you use EDB,
so consider switching. FWIW I had my shop working with DBISAM and decided
to switch to a grown up EDB and it was only a few hours.>>

While there are technical advantages to use EDB over DBISAM, I would have to think that one could write secure code OR insecure code with either one, as far as user authentication goes.  If there is something inherently insecure about using DBISAM, what would that be?  I'm not being argumentative, I'm just curious, since I use DBISAM (or MySQL) and don't have a license for EDB.

-Jim
Mon, Oct 5 2015 5:51 PMPermanent Link

Raul

Team Elevate Team Elevate

On 10/5/2015 5:09 PM, Jim Gallagher wrote:
> Matthew Jones wrote:
> While there are technical advantages to use EDB over DBISAM, I would have to think that one could write secure code OR insecure code with either one, as far as user authentication goes.  If there is something inherently insecure about using DBISAM, what would that be?  I'm not being argumentative, I'm just curious, since I use DBISAM (or MySQL) and don't have a license for EDB.

I am using DBISAM with EWB but not with EWB Web server so some of the
following might not be fully accurate.

I believe the point here is that if you use local connection (i.e. file
system) then there is no authentication option for DBISAM in the product
itself (same way dbsys does not ask you to login when opening local db
tables). DBISAM only provides authentication when used thru dbsrvr (i.e.
remote session) since dbsrvr does the auth. That should work same way
for EWB web server as well i would assume.

EDB is different (catalog vs file system) architecture and any data
access operation would require login (even local file system session)
hence it's easier to use auth with EDB.

You can do your own auth using the TEWBServerRequest instances in server
as well but i think original question was more about built-in capabilities.

Raul

Mon, Oct 5 2015 6:03 PMPermanent Link

Matthew Jones

Indeed, EDB has users and roles and permissions built in. I presume, for I
use my own authentication code, that EWB uses that too. I think I saw such
in the data links.

Tim has thought through a lot of these things, so maybe DBISAM is sorted
too, but I doubt to the same degree. As with using https, you have to
consider how something is to be used and if it is on the internet then
authentication without https and proper password salting would be a problem
waiting to happen. It isn't hard to do it right.

--
Matthew Jones
Mon, Oct 5 2015 8:38 PMPermanent Link

Jim Gallagher

Matthew Jones wrote:

<<Indeed, EDB has users and roles and permissions built in. I presume, for I
use my own authentication code, that EWB uses that too. I think I saw such
in the data links.>>

Thanks, Raul and Matthew.  OK, I think I understand.  Your concerns are with dataset access to server tables.  In my ignorance, I avoid that access method, since I don't have grid-oriented applications, and having a dataset access server data sounds a little scary to me.  Assuming that DBISAM tables are password protected, and are accessed via https: from a module with the user supplying the username and password once only up front, then even local DBISAM access on a server could be made secure.

-Jim   
Mon, Oct 5 2015 10:26 PMPermanent Link

Frederick Chin

Matthew,

/*
I don't use modules, sorry. But EWB has security built in if you use EDB,
so consider switching. FWIW I had my shop working with DBISAM and decided
to switch to a grown up EDB and it was only a few hours.

Also, this went by my feed:

http://blog.learningtree.com/why-you-need-to-pay-attention-to-the-wyndham-case/

Doing things properly protects you from lawsuits!
*/

Changing to EDB would be difficult in my case as the applications using DBISAM are pretty complicated and I would hesitate to alter a functioning program and cause all types of support headaches.

I like DBISAM because of its simplicity and since this is Tim's product, I'm sure that he can suggest some way to have it work securely with EWB.

Frederick
Mon, Oct 5 2015 10:39 PMPermanent Link

Frederick Chin

Raul,

/*
Is the client accessing the server from the same machine or different ones ?
*/

The client will access the DBISAM tables over the Internet.

/*
Without fixed IP you're going to have some problems here - do you have
any name resolution capability ? Usual solution here is to use a DNS
name (and make sure either your dhcp server or client update the dns
record).

in terms of actual TLS EWB Web server does not natively support TLS yet
so you'd need to use stunnel (number of messages in newsgroups about it).
*/

I think I am going to use a dynamic DNS together with stunnel for the computer hosting the DBISAM tables. Will this work?

Frederick
Mon, Oct 5 2015 11:04 PMPermanent Link

Frederick Chin

Tim,

/*
That's because there *isn't* a Locate in EWB.  EWB's documentation is for EWB, not about every single thing that is different from Delphi.  It would take 20 times the amount of documentation already present to list everything that's different between the two products.
*/

I understand that there is no Locate in EWB but all I am asking is how do you emulate it in EWB. Let's look at the following live examples:-

DBISAM table is MNPSMAIN.DAT with an index on the NAME column.

Example 1:-

        with Mnpsmain do begin
             Columns['name'].SortDirection:=sdAscending;
             Columns['password'].SortDirection:=sdAscending;
             SortCaseInsensitive:=True;
             Sort;
             InitFind;
             Columns['name'].AsString:=edtName.Text;
             Columns['password'].AsString:=edtPassword.Text;
             lOK:=Find(False,True);

lOK returns True if name and password combination are in my DBISAM table and False if not. This is a correct result.

Example 2:-

        with Mnpsmain do begin
             Columns['name'].SortDirection:=sdAscending;
             Columns['password'].SortDirection:=sdAscending;
             {
             SortCaseInsensitive:=True;
             Sort;
             }
             InitFind;
             Columns['name'].AsString:=edtName.Text;
             Columns['password'].AsString:=edtPassword.Text;
             lOK:=Find(False,True);

With the Sort methods taken out, lOK still returns True if name and password combination are in my DBISAM table and False if not. This is a correct result.

Example 3:-

        with Mnpsmain do begin
             Columns['name'].SortDirection:=sdAscending;
             //Columns['password'].SortDirection:=sdAscending;
             {
             SortCaseInsensitive:=True;
             Sort;
             }
             InitFind;
             Columns['name'].AsString:=edtName.Text;
             Columns['password'].AsString:=edtPassword.Text;
             lOK:=Find(False,True);

With the Sort methods AND the password column's SortDirection taken out, lOK still returns True if name and password combination are in my DBISAM table and False if not! This is a correct result but why? Is there some sort of cache in place?

/*
The manual specifically states in the first paragraph on searching right before the example:

"Once the dataset is in the "Find" state, you can assign values to the columns in the dataset and then call the Find method to execute the actual search."
*/

It is not obvious because the example shows a simple field search. With the examples I gave above, which I obtained by trial and error, you can see how confused I am.

/*
The rest I'm going to ignore and just chalk up to frustration.  But, just keep in mind, this isn't the complaint department.  If you don't want to use EWB or don't like it, then don't use it.  These forums are for positive, constructive questions and answers for those wanting information on how to best use the product, not a bunch of back and forth bickering.
*/

You did ask me for an example for the manual and I gave you one, in the hope you could add more. I don't believe I stated anywhere in my previous forum message that I don't like or don't want to use EWB. No software tool is perfect and I don't expect EWB to be but I expect that you would be interested in improving EWB based on feedback.

P.S.   I will continue to use EWB because it is currently the only tool that will access DBISAM tables natively and also to irritate the heck out of you. Smile

Frederick
« Previous PagePage 3 of 6Next Page »
Jump to Page:  1 2 3 4 5 6
Image