Skip to Content
Former Member
Jun 02, 2013 at 04:45 PM

Security of parameters



I want to provide a report in a DHTML viewer. This report should filter the data to let the user see only the data he should see.

Therefore I use a record selection formula USER_ID = {?USER_ID}.

This parameter is hidden in the parameter panel and set by the servlet programatically.

However, I am not sure, if this is secure enough because I don't know if a user can manipulate the post-back of the report viewer to change the value of this parameter.

Is this possible, even if the parameter is hidden in the parameter panel?

Should I use a formula instead, which cannot be changed by a user for sure?

Thanks in advance,