How can I send my mysql table parameters to a link through GET?
e.x. : http:/example.com/Send.ashx?id=[member.id]&name=[class.name]
You cannot access MySQL via http directly. You will need to set up a rest API server that handles http requests, makes the corresponding SQL queries, formats the result (typically as json or XML) and sends it back to the client.
In case you already have an API / web server, we need more detailed information on your setup
Related
I have already a code to retrieve the objects in the bucket using oci-java-sdk and this is working as expected. I would like to retrieve the URL of the file which was uploaded to the bucket in object storage and when I use this URL, this should redirect to the actual location without asking any credentials.
I saw preauthenticated requests but again i need to create one more request. I dont want to send one more request and want to get URL in the existing GetObjectResponse.
Any suggestions>
Thanks,
js
The URL of an object is not returned from the API but can be built using information you know (See Update Below!). The pattern is:
https://{api_endpoint}/n/{namespace_name}/b/{bucket_name}/o/{object_name}
Accessing that URL will (generally, see below) require authentication. Our authentication mechanism is described at:
https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/signingrequests.htm
Authentication is NOT required if you configure the bucket as a Public Bucket.
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm?TocPath=Services%7CObject%20Storage%7C_____2#publicbuckets
As you mentioned, Pre-authenticated Requests (PARs) are an option. They are generally used in this situation, and they work well.
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm
Strictly speaking, it is also possible to use our Amazon S3 Compatible API...
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm
...and S3's presigned URLs to generate (without involving the API) a URL that will work without additional authentication.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
Update: A teammate pointed out that the OCI SDK for Java now includes a getEndpoint method that can be used to get the hostname needed when querying the Object Storage API. https://docs.cloud.oracle.com/en-us/iaas/tools/java/1.25.3/com/oracle/bmc/objectstorage/ObjectStorage.html#getEndpoint--
Is it possible to get browser information in a PROCEDURE via MySQL code?
Without having to pick up via backend code and pass as parameter. That is, does MySQL have any function that returns browser information?
No, it's not possible.
MySQL runs at server side whereas browser info is sent from client side (in request headers). So, unless it's passed to MySQL stored procedure or function (via a web app or php), there is no way MySQL would get the browser information.
Any browser information is going to come in the HTTP request and will need to be passed on by your backend code to your MySQL server. There is no function in MySQL that can give it to you directly because the MySQL server doesn't have access to that information.
I am using AppMon 6.5 to monitor an application running in Oracle Weblogic with an Apache server as web server.
The clients perform a lot of HTTP POST requests with json payload and I would like to capture the sent data.
I have configured Web Server sensor (Apache agent) to capture all request headers and request parameters and the Servlet sensor (Weblogic agent) to capture all request headers, request parameters, session attributes...
But I am able to capture only the POST parameters when the clients send the parameters as form-data (e.g. login request consists in two post parameters sent as form-data)
The documentation of Web server sensor states this
Request Parameter Capturing
Capturing the request parameter has some limitations on the web server:
Only the first 20.000 characters of the combined string of query and POST body will be analyzed. Parameters which are beyond that limit cannot be captured.
Reading request parameters from the POST body is only supported for IIS7+ and Apache based web servers.
https://community.dynatrace.com/community/display/DOCDT65/Web+Server+Sensor
Is it not possible to capture the POST data sent as body (e.g json content)??
Thanks in advance
Regards.
Dynatrace AppMon does not capture Payload data, it would cause a high overhead. For almost all situations you can get the information you want another way though, e.g. via method arguments.
I got a (Flask) backend powering an API that serves JSON to an Angular app.
I love the fact that my backend (algorithms, database) is totally disconnected from my frontend (design, UI) as it could literally run from two distinct servers. However since the view is entirely generated client side everyone can access the JSON data obviously. Say the application is a simple list of things (the things are stored in a JSON file).
In order to prevent direct access to my database through JSON in the browser console I found these options :
Encrypting the data (weak since the decrypting function will be freely visible in the javascript, but not so easy when dealing with minified files)
Instead of $http.get the whole database then filtering with angular, $http.get many times (as the user is scrolling a list for example) so that it is programmatically harder to crawl
I believe my options are still weak. How could I make it harder for a hacker to crawl the whole database ? Any ideas ?
As I understand this question - the user should be permitted to access all of the data via your UI, but you do not want them to access the API directly. As you have figured out, any data accessed by the client cannot be secured but we can make accessing it a little more of PITA.
One common way of doing this is to check the HTTP referer. When you make a call from the UI the server will be given the page the request is coming from. This is typically used to prevent people creating mashups that use your data without permission. As with all the HTTP request headers, you are relying on the caller to be truthful. This will not protect you from console hacking or someone writing a scraper in some other language. #see CSRF
Another idea is to embed a variable token in the html source that bootstraps your app. You can specify this as an angular constant or a global variable and include it in all of your $http requests. The token itself could be unique for each session or be a encrypted expiration date that only the server can process. However, this method is flawed as well as someone could parse the html source, get the code, and then make a request.
So really, you can make it harder for someone, but it is hardly foolproof.
If users should only be able to access some of the data, you can try something like firebase. It allows you to define rules for who can access what.
Security Considerations When designing web applications, consider
security threats from:
JSON vulnerability XSRF Both server and the client must cooperate in
order to eliminate these threats. Angular comes pre-configured with
strategies that address these issues, but for this to work backend
server cooperation is required.
JSON Vulnerability Protection A JSON vulnerability allows third party
website to turn your JSON resource URL into JSONP request under some
conditions. To counter this your server can prefix all JSON requests
with following string ")]}',\n". Angular will automatically strip the
prefix before processing it as JSON.
For example if your server needs to return:
['one','two'] which is vulnerable to attack, your server can return:
)]}', ['one','two'] Angular will strip the prefix, before processing
the JSON.
Cross Site Request Forgery (XSRF) Protection XSRF is a technique by
which an unauthorized site can gain your user's private data. Angular
provides a mechanism to counter XSRF. When performing XHR requests,
the $http service reads a token from a cookie (by default, XSRF-TOKEN)
and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript
that runs on your domain could read the cookie, your server can be
assured that the XHR came from JavaScript running on your domain. The
header will not be set for cross-domain requests.
To take advantage of this, your server needs to set a token in a
JavaScript readable session cookie called XSRF-TOKEN on the first HTTP
GET request. On subsequent XHR requests the server can verify that the
cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that
only JavaScript running on your domain could have sent the request.
The token must be unique for each user and must be verifiable by the
server (to prevent the JavaScript from making up its own tokens). We
recommend that the token is a digest of your site's authentication
cookie with a salt for added security.
The name of the headers can be specified using the xsrfHeaderName and
xsrfCookieName properties of either $httpProvider.defaults at
config-time, $http.defaults at run-time, or the per-request config
object.
Please Kindly refer the below link,
https://docs.angularjs.org/api/ng/service/$http
From AngularJS DOCs
JSON Vulnerability Protection
A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string ")]}',\n". Angular will automatically strip the prefix before processing it as JSON.
There are other techniques like XSRF protection and Transformations which will further add security to your JSON communications. more on this can be found in AngularJS Docs https://docs.angularjs.org/api/ng/service/$http
You might want to consider using JSON Web Tokens for this. I'm not sure how to implement this in Flask but here is a decent example of how it can be done with a Nodejs backend. This example at least shows how you can implement it in Angularjs.
http://www.kdelemme.com/2014/03/09/authentication-with-angularjs-and-a-node-js-rest-api/
Update: JWT for Flask:
https://github.com/mattupstate/flask-jwt
I want to know where does ExtJS store keeps all the data? I know the data is stored in the memory but I want to know does it used HTML 5 local storage internally or if any other technique is employed?
Thanks,
Deepesh
It depends.
In every case, the data of the store is stored in a Javascript object. The store persists its data via a proxy. It is a matter of configuration how this data is stored. You can configure different types of proxies:
Client side storage
LocalStorageProxy - saves its data to localStorage if the browser supports it
SessionStorageProxy - saves its data to sessionStorage if the browsers supports it
MemoryProxy - holds data in memory only, any data is lost when the page is refreshed
Server side storage
Ajax - sends requests to a server on the same domain
JsonP - uses JSON-P to send requests to a server on a different domain
Rest - uses RESTful HTTP methods (GET/PUT/POST/DELETE) to communicate with server
Direct - uses Ext.direct.Manager to send requests
More details are in the docs.
The data is stored in an in memory collection called a MixedCollection. It's an ordered collection, but it also allows you to look up data by key, so it's like having an ordered hashmap.