This content has been marked as final. Show 4 replies
I think you need a server-side script (like PHP, asp, ... depending on
your server and available extensions) to query a server DB about the
username/password combination. You could query this script with
getNetText or postNetText. See: < http://www.shocknet.org.uk/index.asp>
Thank you Sean. I don't know much about this sort of thing but will look at the information you linked to. Thanks!
If you’re running ASP sever side I’ve written a matched set of scripts in lingo and ASP that allow you to submit SQL queries from a projector/shockwave and retrieve the resulting record set as a nested set of lists. It’s based on information from the link Sean posted however I’ve allowed Director to dynamically construct the SQL query at runtime (greatly increasing flexibility for clients that must execute many DB functions) and added RC4 data encryption in both directions to protect the database and secure the retrieved data (this stops hackers from using the script as an open port to the DB).
The server side ASP script is simple, it takes the RC4 encrypted SQL query sent from Director, decrypts the SQL string, queries the DB, and sends the record set back to Director either encrypted or clear text, your choice.
The client side lingo script is, well… not so simple. It first constructs the query in the form of a SQL string, encrypts the string, and then sends the encrypted string to the ASP script for processing. It’s been a long time since I’ve looked at the scripts but I believe I wrote them to execute the net operations synchronously … ie: Director goes into a hold loop while waiting for a response or timeout. Once a response is received Director decrypts the results if necessary and that’s where the fun begins … the server response can be anything from a timeout, net operation failure, SQL error, or the response you were looking for. Unfortunately the error handling can bulk the script up quickly.
Just a quick note about security: The RC4 encryption scheme prevents hackers from using the ASP script as a portal into your database but it does not prevent anyone with access to your Director client from attempting an SQL injection attack. To prevent these types of attacks you must be sure to sanitize any user input before incorporating it into the query string. These types of attacks are very real, I had a site I manage disabled for a few days because a hacker exploited the one field out of hundreds that didn’t properly scrub user input.
Thank you Applied CD for that answer. I'll PM you.