Allowing project methods
The 4D tags such as
4DHTML... as well as the
/4DACTION URL allow you to trigger the execution of any project method of a 4D project published on the Web. For example, the request http://www.server.com/4DACTION/login causes the execution of the login project method, if it exists.
This mechanism therefore presents a security risk for the application, in particular if an Internet user intentionally (or unintentionally) triggers a method not intended for execution via the web. You can avoid this risk in the following ways:
Filter the methods called via the URLS using the
On Web Authenticationdatabase method. Drawbacks: If the database includes a great number of methods, this system may be difficult to manage.
Use the Available through 4D tags and URLs (4DACTION...) option found in the Method properties dialog box:
This option is used to individually designate each project method that can be called using the
4DACTION special URL, or the
4DLOOP tags. When it is not checked, the project method concerned cannot be directly executed through an HTTP request. Conversely, it can be executed using other types of calls (formulas, other methods, etc.).
This option is unchecked by default. Methods that can be executed through
4DACTION or specific tags must be specifically indicated.
In the Explorer, Project methods with this property are given a specific icon: