Databases Reference
In-Depth Information
Let's look at an example.
An application may contain a page to display user information, and allow the user
to update their details. If this page has a hidden username ield that is used by the
application to know which user to update, then a user could update another user's
details by modifying the hidden ield.
If the item was hidden and protected, the application would raise an error when the
modiied value was submitted.
Recommendation
Change all
Hidden
items to be
Hidden and Protected
,
unless they are modiied by client-side code.
For Oracle Application Express version 4.0 onward, set the
Value Protected
item
in
Settings
on the item. Additional documentation covering hidden and protected
items can be found at the following URL:
http://download.oracle.com/docs/cd/E10513_01/doc/appdev.310/e10499/
bldapp.htm#BCEGHEAJ
Items of type password
Password items enable users to enter passwords without saving them to the session
state. This prevents the password from being saved in the database in the session
state tables.
There are reports provided to identify at-risk password items:
1.
Navigate to the
Workspace
home page.
2.
Click on the
Application Builder
icon.
3.
The
Application Builder
home page appears.
4.
On the
Tasks
list, click on
Cross Application Reports
.
5.
Under
Security
, click on
Password Items
.
