Sure.
If you have a Crystal Report that is accessed directly through a URL, and
not by passing parameters via a web page, and that Crystal Report expects
certain input from a user, Crystal Reports will display a series of
javascript-like prompts for the user to fill in. So, for example, one of the
reports we have might have a series of prompts starting with group name to
report on, start month for the fiscal year, end month for the fiscal year,
etc. One all of the parameters have been supplied, the report will run.
Since we are accessing the Crystal Report via a web page, those parameters
are passed automatically from the page to the Crystal Report, so the user is
never prompted for them (they would instead be asked for the information
from the web page itself).
In my situation, my web form only asks for 4 pieces of information: the
group to report on, the fiscal year to report on, and the user's NT id and
password. In the source code, all of the paramters (ten, in my case) are
listed as param1, param2, param3, etc. It just so happens that for param1, I
assign the value of #form.group#, because the Crystal report is expecting
the group name to be supplied first. Param2 and Param3 are the start month
and end month for the fiscal year that the user chose from a dropdown list
labled "fiscal year". We'll assume they chose 2001 in this case. In my
action page, I use CF functions to take the year 2001 and determine the
start and end of that fiscal year (1001 and 0902, in MMYY format). So in the
source code you see param2="1001" and param3="0902". The user may be able to
look at the source code and see what these values are, but they don't know
what I've done to arrive at those numbers or what they stand for.
In addition, I have several other hidden fields in that CF template that
were not provided by the user's input. So if they looked at the source code,
they don't know what param4="1" means, or how it changes the report.
Now, I am not suggesting in any way that the users would not be able to
figure this out, or that they would not be able to just copy and paste the
hidden fields "as is" to generate a report. Sure they could. But, in my
case, if they have made it this far to where they are able to view the
source code for this page, then they have been granted access to this report
anyway. It's important to note that I am dealing strictly with an inTRAnet
here, so I'm not as concerned about security hacks. Our biggest concern was
hiding the db username and password.
I'm pretty sparse on my knowledge of Crystal Reports, but I wonder if you
could also specify in the Crystal Report a specific user name and password?
I dunno. I'm not sure of the capabilities of Crystal Reports.
HTH :)
Terri
----Original Message Follows----
From: Paul Smith <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: CF-Talk <[EMAIL PROTECTED]>
Subject: RE: Report Solution (long)--My shared experience
Date: Fri, 18 May 2001 10:06:51 -0700
I don't understand your point here. Could you explain in more detail,
pleas?
best, paul
At 01:27 PM 5/18/01 +0000, you wrote:
>hmmm. Good question. Yes, I suppose they could do that. Depending on how
you
>set up your Crystal Report, however, you probably could make it more
>difficult for them to 'guess' what fields the report is expecting. For
>example, this is what my final CF page has in the source code:
>
><FORM NAME="continue" ACTION="http://our.report.server.com/callreport.asp";
>METHOD=POST onSubmit="return _CF_checkcontinue(this)">
>
><input type="hidden" name="reportname" value="whatever.rpt">
> <input type="hidden" name="DSN" value="yourDSN">
> <input type="hidden" name="DB_SID" value="yourdbschema">
> <input type="hidden" name="param1" value="firstReportPrompt">
> <input type="hidden" name="param2" value="1001">
> <input type="hidden" name="param3" value="0902">
> <input type="hidden" name="param4" value="1">
> <input type="hidden" name="param5" value="1">
> <input type="hidden" name="param6" value="1">
> <input type="hidden" name="param7" value="">
> <input type="hidden" name="param8" value="">
> <input type="hidden" name="param9" value="ALL">
> <input type="hidden" name="param10" value="ALL">
>
>Since the prompt values are being passed from a template, the report will
>not prompt the user for any of the needed values when the report displays
in
>the browser. So, even though they may see in the source code that param2
is
>1001, they may not figure out that the report is requesting (in MMYY
>format), the start of the fiscal year for the year that the user chose
from
>the form dropdown list (in this case, 2001). Likewise, there is logic in
my
>CF page to determine the end of the fiscal year, based on their choice
>(2001) from the previous page. See what I mean? Likewise, for param9/10,
>they would have no idea what "ALL" indicates, nor would they be able to
>guess what the other possible values would be.
>
>In our case, however, we are granting access to any employee to run any
>report (hey, I don't call the shots--that's how the group asked me to
build
>it :), so we aren't too concerned with people taking the time to do
>something like that.
>
>The only reason that we are asking for an NT id and password is just so
that
>we can validate that it is, in fact, a valid employee logging on. We may
>change this somewhere down the line and actually restrict access to
certain
>reports, I don't know. Our whole concern with not exposing the db id/pw
was
>because we didn't want people to be able to bypass reports and gain access
>to the actual Oracle db.
>
>If we DO end up restricting access based on groups somewhere down the
road,
>I will be sure to post an update! :)
>
>Good luck!
>
>
>----Original Message Follows----
>From: [EMAIL PROTECTED]
>Reply-To: [EMAIL PROTECTED]
>To: CF-Talk <[EMAIL PROTECTED]>
>Subject: RE: Report Solution (long)--My shared experience
>Date: Fri, 18 May 2001 09:01:21 -0400
>
>I haven't done anything like this but may have to soon. Question: is
there
>anything stopping a user from creating an html page on their desktop with
a
>form that posts to the report server ASP page, just like your "action"
page
>does? If not, it appears that anyone could run any report if they can
>figure out what to put in the form fields. Or is there a step I missed?
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
