David Crawford · Jul 31, 2019 2m read
Anti CSRF Methods

IRIS provides us with anti login CSRF attack mitigation, however this is not the same as a CSRF attack, as login attacks only occur on the login form. There are currently no built-in tools to mitigate CSRF attacks on api calls and other forms, so this is a step in mitigating these attacks.

See the following link from OWASP for the definition of a CSRF attack:

1 5 354
David Crawford · Jul 26, 2019 3m read
Dynamic SQL to Dynamic Object

Hello community! I have to work with queries using all kinds of methods like embedded sql and class queries. But my favorite is dynamic sql, simply because of how easy it is to manipulate them at runtime. The downside to writing a lot of these is the maintenance of the code and interacting with the output in a meaningful way.

1 7 500
David Crawford · Jul 15, 2019
Non CSP Files

CSP pages extend %CSP.Page. What about html/css/js/etc that are hosted on the same web application? Is there any way to override how they're processed like with how you can override a CSP page and CSP REST logic?

Thank you!


1 4 170
David Crawford · May 7, 2019
Linked Tables and Dialects

Hi! I've been fiddling with linked tables to get data from other servers, and I encountered a problem that I'm curious about. Maybe I'm not using these tools as intended or there's more going on, so I'm asking here.

I'm running a query on linked table A, something simple like this:

select name from A where id = 5983658923646

And I get this error:

[SQLCODE: <-400>:<Fatal error occurred>]

  [%msg: <>]

0 6 216
David Crawford · Jun 18, 2018
CSP Error Log

I thought I should be able to go to the application error log or look at d ^%ER when I get the following error in the browser when troubleshooting a CSP page:

An error occurred with the CSP application and has been logged to system error log (^ERRORS)

However nothing is being generated in these logs. Where are these logs being made?

Thank you

1 9 1,305

As part of our security standards, we can't have our applications saving our credentials. For Atelier, this means our server connections. Is there a way to stop this by saving the connection parameters, but prompting for credentials on each run? Or is there another way?

Thank you

0 6 455
David Crawford · Jun 5, 2018
Ternary Operators

Hello community, simple question. I've been able to use a ternary operator equivalent by using $select for inline if statements using this pattern:

set x = 1

set result = $select(x = 1: "true", x = 0: "false")

These can be nested and can have a lot of options. But I'm curious if there is a native way of using ternary operators in ObjectScript?

Thank you

0 1 622
David Crawford · Feb 20, 2018
REST Data Limit

I'm experimenting with sending large amounts of data in a POST payload to be stored as a stream. However I've noticed that no matter how many characters are in the message, Cache only gets about 32k of them, cutting off the rest. Conversely as expected it can only send about 32k worth of characters in a payload.

Before I get creative, is there a REST message size limit that can be changed? Or is there something else going on here?

Thank you!

0 9 708
David Crawford · Feb 15, 2018
Retrieving REST Data

I'm sending data via ajax to my REST service, and while retrieving any information sent in the url parameter is easy when they're defined in the route, I can't get anything if I store information in the data parameter. For example:

               url: "ServerURL",
               data: { "some": "json" } //How do I get this information?


I've looked at many common solutions such as here:

0 8 672