| |
 Upcoming WebSmart 5 Training Seminars in British Columbia
There are two WebSmart 5 Training classes scheduled for September:
-
Advanced WebSmart and WebSmart 5. Sept 12-15, 2005 at ESDI's office on the West Coast of Canada in Victoria, BC.
-
Fundamentals of Web Development with WebSmart. Sept 19-22, 2005 at ESDI's location.
|
Advanced WebSmart and WebSmart 5
This class is intended for WebSmart programmers with some experience, who would like to be exposed to more advanced programming
techniques in a structured environment. As programmers, many of us spend our time thinking "there's gotta be a better way to do this...",
but we can never make time in our heavy schedules to take a couple hours (much less a couple days) to figure out those better ways. This class will give you a break from the chaos at your office, and allow you to take some time with one of our developers. The advanced WebSmart class is a great opportunity for you to sort our some of your weak areas with the product and benefit from our experience as WebSmart developers, programmers and consultants.
Fundamentals of Web Development with WebSmart
This is a comprehensive course that will give you a working knowledge of all the key areas you need to be familiar with in order to begin developing applications with WebSmart. The course begins with an introduction to HTML (page structure elements, tables, images and links), then continues on to creating simple WebSmart programs. As you familiarize yourself with the tool, you'll add more features to your application: passing parameters between programs, customizing file access, and then prompting users for input and validating what they enter. The class concludes with some exercises in securing applications, using SQL, and using WebSmart's Change Management interface.
If you are interested in attending either of these WebSmart classes or would like additional information, please fill out our Training Request form. You can also contact Marcel Sarrasin, our training coordinator.
BCD @ Fall COMMON
This year's fall COMMON conference is taking place in Orlando, Florida. As usual you can count on BCD to make a strong showing, with several representatives from the technical and sales teams. If you are coming to Orlando, please stop by for a chat.
Look for us at the expo, where there will be a few of us available to discuss and demo all the latest software features of the new and updated versions of WebSmart, Clover and Nexus, as well as deliver ad-hoc presentations on any of our products. Don't miss this opportunity to extract promises of new features from our development managers! And of course, there's the cash drawing too, you won't want to leave without entering your name.
Kevin Cronin (a recent recipient of the "Best Traditional Lab" award from the COMMON User Group) will also be leading a session entitled "CGI Made Easy - Browser Development with WebSmart". In this lab, you will get a hands-on introduction to building ILE RPG CGI programs using ProGen WebSmart, a charter member of the IBM iSeries Developer Roadmap. You will create a browser based CGI login program and use WebSmart's comprehensive set of templates to build SQL driven inquiries, maintenance programs, drill downs and more. Click on the link for scheduling and registration info.
We hope to see you there!
Clover Beta: Sign up Now!
The Clover development team is putting the final touches on the first version of Clover. You read about it in June's Tech Update, now try it out for yourself!
Clover is an optional component of the WebSmart suite. Its purpose is to allow developers and users to design reports and queries and deploy them in browsers. Clover is seamlessly integrated into WebSmart, so there is no special or separate install procedure. If you install the main WebSmart components (WAS on the server, IDE on the client) then you can use all the features of Clover.
Clover is designed to make it easy to write reports with subtotals, breaks, summaries or details, produce online bar graphs and more. It works with your existing iSeries or i5 database files, and provides SQL wizards to make constructing simple or complex relations between files intuitive.
What does Clover have that WebSmart doesn't?
WebSmart provides a platform to create sophisticated web applications such as file maintenance, order entry, shopping carts, web forums, document management, web services oriented applications, corporate portals, etc. - just about any business application you can imagine. Using WebSmart's coding environment, you can also write typical business reports such as sales analysis, invoices, etc. However, some of the features of typical reports, such as subtotals and breaks on values, require coding within the tool to accomplish these things. Clover addresses this issue by providing a new interface, tightly integrated with many of the existing features of the IDE, to enable you to write reports with little or no coding. It has its own set of templates that drive the Clover report creation wizards to make it easy to create reports with breaks, subtotals, graphs, etc. Using the included SQL wizard, you can relate many files (for example, join a header to a detail file) and define how you want the data sorted, filtered and reported.
We are now accepting applications for candidates to join our beta program.
By participating in the beta test, you will get early access to the software and all its features, as well as the developer's ear while you're trying it out. The beta stage of the software is when it's particularly malleable, and we're able to give you a quicker turnaround on your suggestions.
So if Clover sounds like something that you'd like to try out, we encourage you to visit the Clover Beta Request page at our web site.
If you have any questions about the beta, you can contact Technical Support. We will be happy to answer any questions you may have about the software.
Updated WebSmart Security White Paper
Duncan Kenzie, ESDI President, has recently updated our White Paper on Websmart and security issues. The updated document includes a comprehensive overview of how WebSmart, in conjunction with
the iSeries web server (native or Apache versions), provides all the tools and technology for you to create and deploy web applications that are totally secure and safe. These applications can be browser-based, or SOA applications, typically using web services.
If you currently run WebSmart applications that are available either internally or to the outside world, or are considering purchasing the product, this document is worthwhile reading.
If you have any questions on the content, please contact Technical Support.
BCD's Eric Figura Accepts Seat on IBM's iSeries ISV Advisory Council
IBM recently invited BCD's Eric Figura, Director of Sales and Marketing, to join the IBM iSeries ISV Advisory Council.
Eric commented on IBM's invitation: "BCD and I are pleased to have been invited by IBM to join the iSeries ISV Advisory Council. I accepted and look forward to offering my input and BCD's iSeries industry insight to this Council."
"I look at this as another positive expansion in the IBM / BCD relationship, coming six months after IBM made BCD a Charter Member of the iSeries Developer Roadmap".
Nippon Express - Mazda Delivery Order Management - Consulting Profile
Overview
Nippon Express, located in Wood Dale, Illinois, needed to create an online Delivery Order Management System to facilitate shipping and tracking orders for Mazda Corporation. Edward Miyahara (IS Manager), Paul Cree (IS Senior Supervisor) and Masanori Kobayashi (IS Developer) contracted the services of the BCD consulting group to assist with the development of a Delivery Order Management and Tracking system.
Paul Cree, IS Senior Supervisor commented on the project, "We had a very tight deadline and no resources (in house)  to complete it in the time allowed. The customer required a detailed development plan that had to be adhered to, to the letter. We had a lot to do just to complete the plan with the customer. Mike (Mike Richard, BCD WebSmart developer) completed the first phase in good time and everyone was pleased with the outcome. As a result we are continuing to expand our business with Mazda and the usefulness of the web site. ".
Delivery Order Management
The Delivery Order Management System provides functionality to manage delivery orders to be shipped via Sea Vessels or Air Shipments. Parts will be entered into the system for an order. These parts are then used to load into containers. These containers will be loaded into the appropriate vessels which will be shipped and delivered to the proper destination. History records are maintained for each part, container and vessel so it is easy to track the progress of any entity in the system.
Security
This system is used by many different Nippon Express and Mazda consoles positioned all over the globe. A user login is required to access the internal programs. This login will limit the functionality for that particular user depending on the user's authority code.
Another security feature used in the Delivery Order Management system is the History List. All changes made to any vessel, container or part, are logged in a history file. The user ID is stored along with the changes made to make it easier for administration to track the progress of orders.
Parts Maintenance
Parts can be added to the system from an XLS spreadsheet using an import facility written in WebSmart that reads the spread sheet data and builds the necessary records. Parts can also be added manually via the web programs.
Vessel Maintenance
For every run of a vessel, an entry will be added to the system. Each entry will have a Departure Port, Arrival Port as well as Estimated Time of Departure and Estimated Time of Arrival. Vessels can be either Sea vessels or Air vessels.
Container Maintenance
For every container on a vessel, an entry will be added to the system. If a container fails to get loaded onto its appropriate vessel, the vessel that container is associated with can be updated.
Container Loading Plan
The Container Loaded Plan provides the functionality to place ordered parts into containers on the appropriate vessels. Once the loading plan is complete, it is submitted as a proposed loading plan.
Current Status
Currently, the Mazda Delivery Order Management System is used in Canada, USA, Japan and Europe and is used to manage and track their orders.
As a follow-up to the initial development work done by the BCD Consulting Group, Mike Richard, one of the WebSmart developers, visited Nippon Express and facilitated a 5 days WebSmart Training for a Nippon's internal development staff. As a result of this course, and a review of the applications already developed, Nippon is now actively enhancing and adding additional programs to the Mazda Delivery Order Management System in house.
For further information about how this application was developed or for details on our consulting services, please contact Kevin Cronin.
New WebSmart Example Programs: User Controlled Text Size, Static Headings Over Scrollable Areas, etc.
The following new WebSmart example programs were added recently:
- Example 97 - Example Program 97 showcases a technique you can use to control the status of multiple checkboxes using a single checkbox control.
- Example 96 - This example demonstrates how to simulate a tabbed panel using JavaScript and div tags. Tabs can also be created with rounded corners. The program description includes details of two different ways to accomplish the rounded corner effect:
- CSS and round corners: Making accessible menu tabs.
- Nifty Corners: rounded corners without images.
- Example 95 - Static headings above a scrollable area. See how to create a scrollable table with static headings using an overflow setting on a div tag.
- Example 94 - User-controlled text size. This program shows how you can give the user control of the text size on your web pages.
For further details on any of the WebSmart examples, or if you have any questions on how to implement the techniques they demonstrate, please contact Technical Support.
Web Programming Tech Info: SQL Injection
Web applications that use HTML form supplied data in SQL queries can be vulnerable to a technique known as SQL injection. This technique seeks to insert valid SQL predicates into an SQL WHERE clause. The results can either show hackers data that they shouldn't see, or provide hackers with answers to YES or NO questions about the database.
Simple SQL Injection
Suppose your web program requests all records for an order number, like this:
The HTML form accepts the text input (in this case, the customer number), and displays a list of all matching order details. This program works by concatenating the text input to an SQL Select string. The PML for this looks like this:
srchValue = getparm("srchValue");
selstring = "SELECT * FROM XL_WEBDEMO/MU_ORDDF WHERE ODORD =" + srchValue;
So far, so good.
But suppose that a clever hacker, instead of just entering an order number, instead did what's shown above: notice that our hypothetical hacker has added the string " or 1=1" to the order number in the filter. This will result in an SQL query that looks like this:
SELECT * FROM XL_WEBDEMO/MU_ORDDF WHERE ODORD=100001 or 1=1
Since "1=1" is always true, our hacker now sees all order numbers.
Querying the Database
SQL injection can also be used to ask yes/no questions of the database. This is done by injecting entire sub-select queries. If any records are returned, then the answer to the question is Yes. If no records are returned, then the answer to the question is No.
Suppose we want to discover the name of the file which contains customer information. A hacker with a little iSeries knowledge will know that system table QSYS/QADBXFIL contains information about all tables on the system. Hence, if they started with an educated guess that the customer file name contains the letters "CUST", they could inject a sub-select which would help them discover the customer file name:
In the illustration above they've entered the following string:
100001 and (exists (select * from qsys/qadbxfil where dbxfil like '%CUST'))
Here they are asking the question "Are there any tables whose name contains the string CUST?". If some results were returned, the answer to the question is Yes.
And so on. From a starting point like this, a hacker taking a bit of a brute force approach could eventually discover the file name and library. Then, with a few astute guesses and time on his hands, a hacker could start discovering the field names, and their contents, including, for example, the contents of a credit card number field.
Given patience, time, and some educated guesswork, a hacker can glean a fair bit of information from and about your database.
Preventing SQL Injection
The only safe way to prevent SQL injection is to validate all input that will be used for constructing SQL Select strings. There are two simple techniques to do this:
- For numeric fields, use PML function isnumeric to ensure that the text input value consists of digits only;
- For alpha fields, use PML function rplstr to replace all quote characters (') with the single space wild card character (_). Then prepend and append a single quote to the entire value. This will prevent a hacker from "breaking out" of a quoted value, thereby preventing the injection of additional SQL WHERE predicates into the SELECT string.
If you have any questions about this topic, it is addressed in more detail in the Security chapter of the WebSmart 5.0 Reference guide; or contact Tech Support.
Summary List of Recent Updates
WebSmart 5.11
IMPORTANT NOTICE: These updates are for release 5.11 ONLY! If you are not at this release, do not apply them.
- Build 8476 - 2005/07/19 - This update includes all previous fixes, as well as the following:
- Enhancement: set initial size better for desktops > 800x600
- Enhancement: Allow crtlike over database fields
- Enhancement: Use Rcdfmt AND file level id's for level checking
- Enhancement: Allow field list sort
- Fix: *DFTKEY validation problem
- Fix: Could open a WCM definintion while generating
- Fix: HTML character replacement not happening consistently in free format
- Fix: Next and prev IDE commands
- Fix: PML auto-formatting would misinterpret a // in a constant (stop formatting a section)
- Fix: Rare case of the WCM exported definition saved to strange spot
- Fix: Under extreme pasting conditions a GPF could result
- W511001P.EXE - 2005/07/19 - Includes all previous enhancements and fixes as well as the following:
- Change to ECRTCGI for SQL cursor close problem
- Fix for chgvlepwd
- Fix for redirect RAND parameter
- Fix to wrtevar
Please visit the WebSmart Updates page for further information on the available updates.
Catapult 5.65
Catapult 5.65 is now available for download from our web site. Version 5.65 (Poller: 5.65 build 2128, Console: 5.65 build 1794) contains all the latest fixes, as well as a few new features, including the following recent update:
- Upgraded email component to help remove Catapult generated emails from spam blacklists (such as SpamAssassin). SpamAssassin was arbitrarily picking up the series of characters embedded in a MIME tag used to separate attachments within the email.
- Modification to how the Poller 'fixes' file paths to remove invalid characters. In some cases it was removing backslash characters incorrectly.
- Catch Windows message when re-connecting to a Network resource. The Poller was incorrectly flagging the request in error in this case.
- Resolved a problem encountered with embedded font tags in *RICH downloads when creating PDF and RTF documents in the Poller. This problem would only occur when Split/Parsing from *STARTOFREPORT to *ENDOFREPORT and the font tag is past the key value in the report.
Please visit the Catapult Updates page for further information on the available updates.
ProGen Plus 8.03
These are the latest ProGen Plus updates:
- PG8A004 - August 10, 2005 - Accum 4, for release 8.03. (Note: You must upgrade to 8.03 first before you upgrade to this release). Upgrade 8.04 includes updates PG8R0036-45.
- PG8R046 - 2005/08/10 - Various minor fixes for the actions editor.
- PG8R045 - 2005/08/05 - Correct loop when over 30 *LINK work fields are used.
- PG8R044 - 2005/08/05 - Adds an option to delete user code when deleting a definition.
- PG8R043 - 2005/08/04 - Corrects the parameter conflict with GN#X66C when running the command ZCHGDBF.
- PG8R042 - 2005/07/14 - Corrects the issue when the panel help would get unselected with f3 from the work with panel help screen.
- PG8R041 - 2005/07/14 - Corrects the issue adding data area to the KB.
- PG8R040 - 2005/07/14 - Corrects the handling of the sub-file option K in work with work fields.
- PG8R039 - 2005/07/14 - Corrects display on ZCHGFFD for blank records on the sub-file.
- PG8R038 - 2005/07/01 - Corrects validations for window dimensions.
Please visit the ProGen Plus Updates page for further information on the available updates.
DbGen 2.31
There is also a new DbGen update:
- DB23R011 - 2005/08/15 - Fix subfile positioning in Work with DbGen Object Management (option 7 from the main menu). (583 kilobytes)
Please visit the DbGen Updates page for further information on the available updates.
Spool-Explorer/400 Release 4.23 (08/09)
A new version of Spool-Explorer/400 is available for download. This version includes all previous updates and enhancements. Version 4.23 includes the following new features and fixes:
- Spool-Explorer now uses HKey_Current_User for all registry settings. This change facilitates using Spool-Explorer in secure environments when using Windows 2000/2003 and Windows XP. Note: On initial startup Spool-Explorer will migrate existing settings in the registry.
- Depending on your computer this can take a few minutes. Please be patient, this process is only executed once per User/PC.
- All default directories have been switched to 'My Documents\SpoolExplorer'. This removes the difficulty restricted user profiles encounter when trying to create temporary files and translation tables.
- Upgraded email component to help remove Spool-Explorer generated emails from spam blacklists (such as SpamAssassin). SpamAssassin was arbitrarily picking up the series of characters embedded in a MIME tag used to separate attachments within the email.
- Spool-Explorer security has been enhanced to disable modifications to spool file contents. This can be set for individual users or groups.
Please visit the Spool-Explorer Updates page for further information on the available updates.
© 2005 ExcelSystems Software Development, Inc.
ProGen WebSmart and ProGen Plus are Registered Trademarks in the US and Canada, and Trademarks in all other countries.
|
 |
|
• 
