Ajax <>database security-

I'm planning to build a website generator based on jquery. What I have in mind, is a highly scalable system and a Government area based on ajax.

The administrator can adjust the colors, forms, menus, build ad pages and configure the widgets on the page etc etc the backbone of the application will be a database.

To make it really expandable, I add the possibility that the administrator can make the database tables and add shapes of these tables. All forms in the site will be driven ajax.

Now there's a thing about safety, with standard forms, this won't be a problem, the thing is the dynamic forms created, there are several ways to implement a system like this.

One way I can think is that a dynamic form created sends the name of the table during an ajax call. But here's where I have my doubts. Although the allways database must be protected with a password etc etc my security policy is give as far as possible information on the server, should not be rocket science to read an ajax request to the server. So if I apply in this way users can easily see exactly what tables are being updated.if they control the traffic to and from the server. What do you think is it something I should avoid?

It is not clear to me why you need to create a new table for all forms. One table could contain questions of form, but the questions share an identification number would all belong to the same shape. Responses to forms everything would be in another table.

Only the administrator has higher permissions can create tables.

I still wouldn't let that happen.

Think just what will look like your database after a couple of years. It can be full of tables with cryptic names that no longer serve any purpose. A big mess.

Tags: Coding Corner

Similar Questions

  • APEX on a database by using a different database security

    I'm new to APEX so please forgive me if my question is elementary or if it crosses also ignoring.  My organization uses APEX for the first time and you are looking to fill a specific role.  I don't know if we want APEX can be done.

    Here's what we want to do:

    We want to create an app of the APEX on A database.

    My APEX application will be used to modify database tables b.

    Users have usernames, passwords and access set up on the basis of data B.

    When users access the application of APEX, we want the application to use the database security B.  In other words, it connects using the IDs and passwords for database B.

    So:

    I go to the application of the APEX

    He invites me to the user ID, I enter one I use when I log on database B.

    He asks me a password, I get the one I use with database ID B.

    I click OK.

    Forms are loaded with the data accessible by my ID on the B database.

    Changes on the forms and my user ID is marked as one making changes to database b lines.

    In other words, I just want to use the database A to build and enhance the application.  Anyone can run the application, but they must connect using their database B ID and password to make changes.

    (1) is it possible?

    (2) how to configure in the application of the APEX?

    Thanks for your help on this.

    8dc1e333-95ad-4714-9820-16d3e4296c4d wrote:

    In other words, I just want to use the database A to build and enhance the application.

    APEX does not work like that.

    APEX is nothing more than a bunch of PL/SQL code that runs on the database, it is installed on and run the code as "pattern analysis".

    Comment on "works on the basis of data"

    If you want APEX to read data from a different database, you use a DATABASE LINK

    for example to SELECT a report

    Select * from scott.emp@db2

    I doubt that one of the assistants APEX you'll love.

    comment "works like «pattern analysis"»

    If your application has an analysis of 'BOB' scheme... all SQL and PL/SQL code will run as BOB.

    The "DB"account "security" is more a misnomer.  APEX only checks that the entered name and password match that of the database that it is installed on.

    Once verified, APEX performs a 'switch user' for the 'scheme of analysis. "  (Authentication of proxy in Oracle)

    That's how web applications work... they use a shared schema.

    WORK AROUND

    Connect to the APEX by ADR, no EPG.  Will prevent it people to access the database directly.

    The next thing that you need is a SCHEME of ANALYSIS dedicated to the execution of SQL and PL/SQL.

    As any other database USER, it shouldn't be the same schema as the schema that contains all of your data. (Analysis schema! = data schema)

    Personally, I like to my 'space work [schema]' separated also.

    You will most likely need to use a database of private virtual control data access.

    Required Code changes

    If none of your code using the username 'USER' column, you need to change to COALESCE (V ('APP_USER'), USER)

    (I prefer to COALESCE on NVL because I anticipate different infrastructure that works similar to APEX)

    MK

  • Please suggest some in depth Oracle Database Security book

    Please suggest some Oracle database security book in depth.

    I'm looking for some very good and in the books of depth in Oracle database security book advance.


    Thanks in advance...

    If you go to Amazon.com, then search for 'Security Oracle', there are dozens of good books.

    I would probably start

    Applied Oracle security

    and

    Effective Oracle security

    Justin

  • database security...

    Hi Experts,

    I am a DBA and have never worked on the security of the database.
    I wonder to work on this area by management.
    I would like to know is this area is a DBA?

    If so could you please direct me to the docs/url metalink?

    Thank you
    BK.

    Yes its your job as a DBA to secure your database.

    Oracle Database Security its not that small to study it, you should know
    -MEV
    -Data masking
    -Line level security
    -Column-level security
    -Data Vault
    -Database Audit Vault
    -Firewall oracle

    each of these subject's course.

  • Announcement for the external database - Secure ACS 5.2 or LDAP

    I'm working on the project with Secure ACS 5.2.  I'm trying to determine the external database appropriate to use.  LDAP or directly to the AD?

    In addition, the field in which I connect to a several subdomains.  All users are currently in the subdomains, but will move to the root domain later.  How do I set up the connection, I have to connect to each subdomain or can I connect just to the root?

    Thank you

    Hello

    If you are using PEAP (mschapv2) [password based authentication] your best bet is to tie ACS to AD, because PEAP-mschapv2 is a hash mechanism that is only supported when you bind to AD, it will not work if you use the ldap integration.

    Your best option is to connect ACS for the root domain, so he can use the transitive trust relationships to find the information in its subdomains.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Windows 7. N A P is DISABLED. How to change secedit, database, security, file victory "Adobe",

    Accidentally changed the properties in the programs 'Windows. security, .database .secedit"at adobe. need to restore the original.

    "I have not a reliable ' restore date.

    Hello

    Before I continue with the troubleshooting steps I may need a few more details to better understand the issue.

    1. what exactly is the problem you are experiencing on the computer?
    2. do you receive any error messages?
    3. what exactly do you mean by 'changed the properties in the programs' Windows. security, .database .secedit"at adobe. need to restore the original. » ?

    Suggestions for a question on the help forums:
    http://support.Microsoft.com/kb/555375

    Answer with the information required to help solve the problem.

  • failed to create database security store

    Hi all

    I'm trying to run the command to create the store database for my domain. But get following exception.

    CLASSPATH=/data/eidm/opam/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/data/eidm/opam/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/data/eidm/jdk1.7.0_67/lib/tools.jar:/data/eidm/opam/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/data/eidm/opam/Middleware/wlserver_10.3/server/lib/weblogic.jar:/data/eidm/opam/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/data/eidm/opam/Middleware/wlserver_10.3/server/lib/webservices.jar:/data/eidm/opam/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/data/ eidm/opam/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/data/eidm/opam/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/lib/adfscripting.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/igfwlsthelp.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/data/ eidm/opam/Middleware/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/ sslconfigwlst.jar:/data/eidm/opam/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar:/data/eidm/opam/Middleware/utils/config/10.3/config-launch.jar::/data/eidm/opam/Middleware/wlserver_10.3/common/derby/lib/derbynet.jar:/data/eidm/opam/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/data/eidm/opam/Middleware/wlserver_10.3/common/derby/lib/derbytools.jar::

    WebLogic Scripting Tool (WLST) initializing...

    Welcome to WebLogic Server Administration scripts Shell

    Help() type help on the available commands

    Info: Data Source is: opss-DBDS

    Problem call WLST - Traceback (innermost last):

    File "/ data/eidm/opam/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py", line 653, in?

    File "/ data/eidm/opam/Middleware/Oracle_IDM1/common/tools/configureSecurityStore.py", line 76, getXmlDocument

    File "/ data/eidm/opam/Middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar/Lib/xml/dom/minidom.py", line 1923, in analysis

    File "/ data/eidm/opam/Middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar/Lib/xml/dom/minidom.py", 1907, in _do_pulldom_parse the line

    File "/ data/eidm/opam/Middleware/wlserver_10.3/common/wlst/modules/jython-modules.jar/Lib/xml/dom/pulldom.py", line 333, in analysis

    IOError: No file or directory: data/eidm/opam/Middleware/user_projects/domains/opam_domain/config/config.xml

    Please help us.

    Thank you.

    error message:

    IOError: No file or directory: data/eidm/opam/Middleware/user_projects/domains/opam_domain/config/config.xml

    Check if the path of the given field is correct or not?

    What is the exact command that you run?

  • Error occurred when creating 'Database of store security' in OIM11gR2 PS2

    Hi experts,

    I get the following error when I am trying to configure the store database security.

    The name of user and password is correct. 1 forward, I used the "Patch Set Assistent" to upgrade the schema OPSS.

    OS: Linux Red Hat 6.5

    IOM version: 11 GR 2 PS2

    My environment variables:

    Export JAVA_HOME = / APPL/home/IOM/java/jdk6

    Export APP_SERVER = weblogic

    Export MW_HOME = / APPL/home/IOM/mw

    export WL_HOME=/APPL/home/oim/mw/wlserver_10.3

    Export OIM_ORACLE_HOME = / APPL/home/IOM/mw/Oracle_IDM1 /.

    Export DOMAIN_HOME = / APPL/home/IOM/mw/user_projects/domains/oim_domain /.

    # export PATH

    export PATH = $PATH: / APPL/home/IOM/java/jdk6/bin

    export PATH = $PATH: / APPL/home/IOM/mw/Oracle_SOA1/OPatch

    Java-Version:

    Java version "1.6.0_37".

    Java (TM) SE Runtime Environment (build 1.6.0_37 - b06)

    Oracle JRockit (R) (build R28.2.5-50-153520-1.6.0_37-20121220-0843-linux-x86_64, update mode)

    [oim@gf0vsxas833p ~] $

    My password of the OPSS schema includes two special characters: $ and _

    My error:

    [oim@gf0vsxas833p ~] $ /APPL/home/oim/mw/oracle_common/common/bin/wlst.sh /APPL/home/oim/mw/Oracle_IDM1/common/tools/configureSecurityStore.py/APPL/home/IOM/mw/user_projects/domains/oim_domain d /-c IAM Pei < opss_schema_password > m create

    CLASSPATH=/APPL/home/oim/mw/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/APPL/home/oim/mw/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/APPL/home/oim/java/jdk6/lib/tools.jar:/APPL/home/oim/mw/wlserver_10.3/server/lib/weblogic_sp.jar:/APPL/home/oim/mw/wlserver_10.3/server/lib/weblogic.jar:/APPL/home/oim/mw/modules/features/weblogic.server.modules_10.3.6.0.jar:/APPL/home/oim/mw/wlserver_10.3/server/lib/webservices.jar:/APPL/home/oim/mw/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/ APPL/home/oim/mw/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/APPL/home/oim/mw/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/APPL/home/oim/mw/oracle_common/common/wlst/lib/adfscripting.jar:/APPL/home/oim/mw/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/APPL/home/oim/mw/oracle_common/common/wlst/lib/mdswlst.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/auditwlst.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/igfwlsthelp.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/jps-wlst.jar:/ APPL/home/oim/mw/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/jrf-wlst.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/oamap_help.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/ossoiap_help.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/ossoiap.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/APPL/home/oim/mw/oracle_common/common/wlst/ resources/sslconfigwlst.jar:/APPL/home/oim/mw/oracle_common/common/wlst/resources/wsm-wlst.jar:/APPL/home/oim/mw/utils/config/10.3/config-launch.jar::/APPL/home/oim/mw/wlserver_10.3/common/derby/lib/derbynet.jar:/APPL/home/oim/mw/wlserver_10.3/common/derby/lib/derbyclient.jar:/APPL/home/oim/mw/wlserver_10.3/common/derby/lib/derbytools.jar::

    WebLogic Scripting Tool (WLST) initializing...

    Welcome to WebLogic Server Administration scripts Shell

    Help() type help on the available commands

    I havenfo: data source is: opss-DBDS

    Info: Driver JDBC DB: oracle.jdbc.OracleDriver

    Info: DB JDBC URL: jdbc:oracle:thin:@gf0zsxdb048p:1522/IDMSECP

    Error: impossible to do the data binding for OES field. Caused by: ORA-01017: name of user and password invalid. connection refused

    Problem call WLST - Traceback (innermost last):

    File "/ APPL/home/oim/mw/Oracle_IDM1/common/tools/configureSecurityStore.py", line 899, in?

    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)

    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:389)

    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:382)

    at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:600)

    at oracle.jdbc.driver.T4CTTIoauthenticate.processError(T4CTTIoauthenticate.java:445)

    at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)

    at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)

    at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:380)

    at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:760)

    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:401)

    to oracle.jdbc.driver.PhysicalConnection. < init > (PhysicalConnection.java:546)

    to oracle.jdbc.driver.T4CConnection. < init > (T4CConnection.java:236)

    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)

    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)

    at java.sql.DriverManager.getConnection(DriverManager.java:582)

    at java.sql.DriverManager.getConnection(DriverManager.java:185)

    at oracle.security.oes.util.DBSchemaUpgrade.getConnection(DBSchemaUpgrade.java:62)

    at oracle.security.oes.util.DBSchemaUpgrade.isAnyPolicyStoreInSchema(DBSchemaUpgrade.java:69)

    at oracle.security.oes.util.DBSchemaUpgrade.isAnyPolicyStoreInSchema(DBSchemaUpgrade.java:56)

    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    java.sql.SQLException: java.sql.SQLException: ORA-01017: name of user and password invalid. connection refused

    Any ideas?  I've done the excact same facility two months ago. At that time, everything worked fine...

    Thank you!

    BR,

    Max

    Finally, I was able to solve my problem.  When the password of schema using a $ connect, the script fails!

    BR

  • Suggestion: Subcategory "Security" of the category "Database".

    Hi all

    I managed to find that on OTN Discussion Forums, there are:
    Java-> category: security
    Technology-> Forum: security

    and technology: security questions apply to the Oracle database software.

    I always wondered why there is no 'Security' subcategory in the category "Database" (http://forums.oracle.com/forums/main.jspa?categoryID=84)
    I have read security of database on discussions in the 'Database - general' sub-category of category "Database" and always had this strange feeling of a subcategory of 'Security' missing.

    In my view, security of database threads would be better organize you if there a subcategory "Security" of the category "Database".

    Thank you
    Adrian Angelov

    I think there is a forum of database security - general , although it is rather well hidden at the bottom of the list of database instances.

    Justin

  • How to remove a nsf local security

    Hi all

    Please suggest me a convenient way to remove local security from NSF

    You will need to remove NSF security? Get the solution in advance, giving you great assistance during the withdrawal of database security. Try it and be free from this error. Read more:- http://www.removensfsecurity.org/how-to-remove-local-security

  • Oracle Database Vault

    Dear Guys,

    I'm looking for Oracle database security software and got some information that Oracle database vault is aimed. Please let me know what are the versions of database supported (8i, 9i, 10g, 11g) which can be integrated with the latest version of Oracle database vault.

    Hello

    Audit Vault and database firewall is a product of Oracle which allow to collect many targets audit logs and blocking and monitoring sql against your target traffic.

    DB Vault: is this different Oracle product that can protect your data against unauthorized access as access dba by creating the Kingdom, so if the sysdba try selecting tables protected by the Kingdom, he will receive insufficient privildges

  • MAXL drop database fails - ERROR - 1051041 - insufficient privilege for this operation - with Application Manager

    Hello

    SSP database security.

    User and group are both part of the native repertoire, but also exists in the active directory configuration.

    I create a group.

    I set up the Group Application Manager for Application X

    I make A user a member of the Group

    User A runs a MAXL script; -

    Drop database X.Y;

    The drop falls down-

    For this operation, the insufficient privilege ERROR - 1051041 -.

    Essbase 11.1.2.2.

    Is this a bug?

    Is there a solution?

    Thank you

    Robert.

    Robert, read Cameron link I see this:

    "An Application Manager can remove only the applications and databases that he created."

    Leaving aside the question of whether this applies also to female users, this is probably your problem, is it not?

  • Connect to the database through PHP Oracle

    Hello

    I'm trying to run a PHP script on a button from an external site that connects to the Oracle database. Someone at - it an idea how to connect to a database SQL as I want to use the Web site as a customer to the product which inserts records?

    Thank you very much!

    I read your other thread Connect to database via PHP APEX found on the forum of the APEX.

    The person who told you to post here you gave some bad advice.

    "cj" has some good information for you in your original post.

    As you use the APEX and PHP to interact with the database at the same time, you will need to do some design work before you continue.

    Step 1: Learn Oracle.

    Read Oracle Concepts Guide

    If you have questions about how Oracle works, feel free to ask in the general forum.

    Step 2: Design your security

    identify the tables of the PHP users will be allowed access. (I only allow to SELECT)

    identify processes that PHP users will be allowed to do. (my LMD is placed here)

    Think "ROLES".

    There is a forum "database security - general."  But, I think that general would also work.

    Step 3: Move the "business logic" in the database

    You want to reuse the APEX of the process in PHP, PERL/CGI, .NET, etc etc.

    To do this, the only way is to move the process of the APEX in the database code. (IE packages)

    In other words: put your "business logic" within your database.

    Not all the processes of the APEX should be moved (for example 'extract of automatic data"is specific APEX)

    You can create Packages that can be used instead of "Automatic DML" within the SQL APEX workshop.

    (post in the forum of the APEX for more information)

    Other processes, you will need to read the code to determine.

    Also, you'll want to move your APEX 'Permission' and 'Validation' code in packages also.

    In this way: PHP, .NET, Java, etc., etc. can use the same code 'validation '.

    Step 3: use a code repository

    You will create a large number of packages.

    You'll want to use a Code (e.g. SVN) repository to keep a history of your code.

    Oracle SQL Developer (free) must be able to help here

    Step 4: consider asking for help

    You should consider hiring a consultant to help you if you don't have in-house expertise that can solve the above steps.

    MK

    PS - for later use, remember to mark your question as 'responded' If you realize that it is in the wrong forum.

  • ORA-28132: the MERGE syntax IN does not support security policy

    Hello

    With the help of Oracle 11 g R2.

    I have the following problem:

    If the user attempts to perform a MERGE INTO statement on a table (T1), it receives the error ORA-28132: The MERGE IN syntax does not support security policy.

    Is there a way I can solve this problem by giving the user more rights on this specific table, T1? Or I need to rewrite the SQL code using UPDATE and INSERT instead MERGER?

    I can't grant POLICE ACCESS TAX-FREE, it would be too powerful privilege...

    Please advise,

    M.R.

    You may need to recreate the political VPD:

    Note:

    In previous versions of Oracle database, when you created a strategy Oracle virtual private database on an application that included the MERGE INTO statement, the MERGE INTO declaration could be avoided with a ORA-28132: Merge into syntax does not support security policies error, due to the presence of the virtual private database policy. From Oracle Database 11 g Release 2 (11.2.0.2), you can create policies on applications that include MERGE INTO operations. To do this, in the DBMS_RLS . ADD_POLICY statement_types parameter, include the INSERT , UPDATE , and DELETE statements, or simply omit statement_types setting altogether. Refer to the Oracle Database Security Guide for more information on the application of the strategies on specific types of SQL statement.

    FUSION

  • Security filter problem

    Hello

    I am facing a problem with the security filter for a single user. We are on the edition of Fusion Hyperion Version 11.1.2.1.

    We had a user created in the SSP with ID: TESTUSER and added in the group. Initially for this user was working fine. Subsequently, we have removed this user of shared services like us is needed more than that.

    According to the new requirements that we are supposed to create a user with the same username, so we created new new user "TESTUSER" and added in the same group of users, then we refreshed the Planning Application security by "Administration-> Application-> Refresh Database-> security filters '." " Refreshing security created filters to filter for above the user and we checked this consol EAS.

    However, when connect us to the Application via Smart View we get the error below.

    *****************

    Could not open the cube View.Essbase error (1054060): Essbase failed to select

    Application APP1, because the TESTUSER@Native directory is not\

    completely updated in service planning.

    *****************

    Could you please advice how we can solve this problem.

    Try to remove user security file EAS using MAXL and try again to create security filters.

Maybe you are looking for