Net.Data provides several configuration
variables that can be used to limit the activities of end users or conceal the
design of your database.
- Control file access with path statements
- Net.Data evaluates the settings of path configuration statements to
determine the location of files and executable programs that are used by
Net.Data macros. These path statements identify one or more
directories that Net.Data searches when attempting to locate macros,
executable files, include files, or other flat files. By selectively
including directories on these path statements, you can explicitly control the
files that are accessible by users at browsers. Refer to Configuring Net.Data for additional detail about path statements.
You should also use authorization checking as described in Using Authorization and verify that file names cannot be changed in INCLUDE
statements as described in Macro Development Techniques.
- Disable SHOWSQL for production systems
- The SHOWSQL variable allows the user to specify that Net.Data
displays the SQL statements specified within Net.Data functions at a
Web browser. This variable is used primarily for developing and testing
the SQL within an application and is not intended for use in production
systems.
You can disable the display of SQL statements in production environments
using one of the following methods:
See SHOWSQL in the variables chapter of Net.Data
Reference for syntax and examples for the SHOWSQL Net.Data variable.
- Consider whether it is appropriate to enable direct request for production
environments
- The direct request method of invoking Net.Data allows a user to
specify the execution of an SQL statement or Perl, REXX, or C program directly
from a URL. The macro request method allows users to execute only those
SQL statements and functions defined or called in a macro.
You should carefully consider whether to allow the use of direct request
because it might give your users the ability to execute a very broad set of
functions. When enabling this method of invocation, ensure that user ID
under which the Net.Data request is processed has the appropriate level
of authorization.
You can use the DTW_DIRECT_REQUEST configuration variable to disable direct
request. See DTW_DIRECT_REQUEST: Enable Direct Request Variable for syntax and additional information.