7 Replies Latest reply: Apr 10, 2013 2:54 PM by Tom Petrus RSS

    Hidden Item - "Value Protected": When can it's value be changed?

    Howard (... in Training)
      Question: When can a "Value Protected" Hidden Item be changed?

      I see from http://docs.oracle.com/cd/E17556_01/doc/user.40/e15517/item_types.htm :

      Hidden Item
      Settings attributes:
      •Value is Protected - Select Yes to prevent hidden values from being manipulated when a page is posted.

      Question: How do Value Protected Hidden Items work -- i.e., what is their semantics?

      Now, I'm trying to ask an intelligent question. I understand that “prevent hidden values from being manipulated when a page is posted” means the value can’t be changed. And I assume "posted" means submitted to Session State. (My search for a definition for "post" failed.)

      So all this raises the question(s):
      Just when -- page rendering / page processing -- can a "Value Protected" Hidden Item's value be changed?
      Exactly what event signals the beginning of the period when it cannot be changed?
      Is this feature protecting Session State only or protecting the HTML value as well?
      Or are these not even the right questions?

      ???
      Howard
        • 1. Re: Hidden Item - "Value Protected": When can it's value be changed?
          Tom Petrus
          You can edit the item's properties on your page as much as you want, with for example javascript. When you inspect the generated source, you will notice that a hidden protected item has a checksum generated aswell.
          This means that when you submit the page the db will check the submitted value's checksum vs the original checksum. Change? Warn.
          You can change the hidden item's value during the rendering with for example a computation. You can change the item's value with javascript or through other means to get to the value (such as with firebug). But on page submit it will validate those checksums.
          • 2. Re: Hidden Item - "Value Protected": When can it's value be changed?
            fac586
            Howard (... in Training) wrote:
            Question: When can a "Value Protected" Hidden Item be changed?

            I see from http://docs.oracle.com/cd/E17556_01/doc/user.40/e15517/item_types.htm :

            Hidden Item
            Settings attributes:
            •Value is Protected - Select Yes to prevent hidden values from being manipulated when a page is posted.

            Question: How do Value Protected Hidden Items work -- i.e., what is their semantics?
            On page show a checksum based on the item session state value is computed and included in another hidden item. On page accept a checksum based on the value submitted from the page is computed. If the checksums don't match then an attempt has been made to interfere with the hidden value.

            Compare the hidden items on page 6 of the Sample DB app:
            // P6_PRODUCT_ID: Not protected
            <input type="hidden" name="p_arg_names" value="30718765321393579456" />
            <input type="hidden" name="p_t01" id="P6_PRODUCT_ID" value="8">
            
            // P6_BRANCH: Protected
            <input type="hidden" name="p_arg_names" value="27189119127890306478" />
            <input type="hidden" name="p_t09" id="P6_BRANCH" value="3">
            <input type="hidden" name="p_arg_checksums" value="27189119127890306478_2C402BD2F7FE97372670AEBE3FC4A967">
            Now, I'm trying to ask an intelligent question. I understand that “prevent hidden values from being manipulated when a page is posted” means the value can’t be changed. And I assume "posted" means submitted to Session State. (My search for a definition for "post" failed.)
            Posted = Submitted. POST is the HTTP request method used to submit the page.
            So all this raises the question(s):
            Just when -- page rendering / page processing -- can a "Value Protected" Hidden Item's value be changed?
            In session state during page show or page accept processing, but not by the user or JavaScript changing the value in the browser page. (A Dynamic Action or On-Demand Process can change the value using code executed on the server, but this would be overwritten by the protected page value when the page is submitted.)
            Exactly what event signals the beginning of the period when it cannot be changed?
            It's not that there's a "period" when it can't be changed. The intention is to prevent the value in the page being modified by the user/browser.
            Is this feature protecting Session State only or protecting the HTML value as well?
            Session state. You can change the value in the page using a web inspector or JS console. When it's submitted you'll get an error:
            ......message: Session state protection violation: This may be caused by manual alteration of protected page item
            P6_BRANCH. If you are unsure what caused this error, please contact the application administrator for assistance
            Or are these not even the right questions?
            Not bad for you. ;-)
            • 3. Re: Hidden Item - "Value Protected": When can it's value be changed?
              Howard (... in Training)
              Thanks Tom,

              This helps some but I'm still a little bewildered by what seem the various permutations. I'll mark helpful.

              Howard
              • 4. Re: Hidden Item - "Value Protected": When can it's value be changed?
                Howard (... in Training)
                Paul,

                Great! Great! Very clear and complete.
                Re: In session state during page show or page accept processing, but not by the user or JavaScript changing the value in the browser page. (A Dynamic Action or On-Demand Process can change the value using code executed on the server, but this would be overwritten by the protected page value when the page is submitted.)
                So assignments in Dynamic Actions count as prevented User/Browser modifications. So if I set Hidden Item ":P3_HIDDEN := 3;" in a user/browser triggered Dynamic Action, that value is not Submitted. Got it.

                Question: But what about "Page Processing"? Specifically, the various Item Validations and Page Validations? If they change a Proteceted Hidden Item value, is that changed Submitted or rejected?
                Not bad for you. ;)
                If I open the door like that, I guess I can't complain about what comes through!

                Thanks,
                Howard
                • 5. Re: Hidden Item - "Value Protected": When can it's value be changed?
                  fac586
                  Howard (... in Training) wrote:
                  Paul,

                  Great! Great! Very clear and complete.
                  Re: In session state during page show or page accept processing, but not by the user or JavaScript changing the value in the browser page. (A Dynamic Action or On-Demand Process can change the value using code executed on the server, but this would be overwritten by the protected page value when the page is submitted.)
                  So assignments in Dynamic Actions count as prevented User/Browser modifications. So if I set Hidden Item ":P3_HIDDEN := 3;" in a user/browser triggered Dynamic Action, that value is not Submitted. Got it.
                  No, you didn't get it. An Execute PL/SQL dynamic action like
                  :P3_HIDDEN := 3;
                  that changes the session state value is permitted (but this value will be overwritten by the original one if the page is submitted). The equivalent Execute JS dynamic action
                  $s(':P3_HIDDEN', 3)
                  is not permitted because it changes the page value, and an error will occur if the page is submitted.
                  Question: But what about "Page Processing"? Specifically, the various Item Validations and Page Validations? If they change a Proteceted Hidden Item value, is that changed Submitted or rejected?
                  Doesn't apply. The page has already been submitted. (The browser submits/posts the page; APEX accepts it). Look at a debug trace for a page accept action: the item values are copied into session state before computations, validations and processes are run.
                  • 6. Re: Hidden Item - "Value Protected": When can it's value be changed?
                    Howard (... in Training)
                    Now you’re gonna make me cry!

                    <vent><b>Question: So these guys that wrote APEX, in there former careers, they were LAWYERS?</b></vent>

                    So both JS and PL/SQL succeed in changing their respective values but neither causes a (final?) change in Session State? The first, JS, results in an error while the second, PL/SQL, does not. (To me that's a silent failure -- I wouldn't have changed the value if I did want the change to stick -- and there is little documentation to explain this "feature" as you have explained.)

                    <b>Question:</b> So as long as I don’t Submit the page, I can continue to change Session State with Dynamic Actions all I want? <b>!!!</b>

                    <vent><font size=2>It’s no wonder newbies have problems.</font></vent>

                    <GRIPE><b>There are too many ifs, and ifs, whens, ors, or ifs, whiles, except whens, .... And way too little documentation of "how" features operate.</b></GRIPE> Okay, it is what it is. :( But as I wrote elsewhere: "Web technology is an amalgam of rapidly evolving technologies each with their individual syntax definitions." And semantics! T'aint simple.

                    Let's go on a lighter note. I found this on the web -- but I changed a few words.
                    <b>Brilliant Reactive Automated Intelligent Neurological agent (BRAIN) is a rapid web application development tool for brain surgery. Using only a web browser and limited medical experience, you can quickly develop and conduct professional brain surgery that is both fast and effective. BRAIN is a fully supported, no cost feature of the BRAIN Application Pancyclopaedic Eclectic Xerography group.</b>

                    Must remember to love APEX. Must remember to love APEX. Must remember to love APEX. Must remember ...

                    Thanks,
                    Howard
                    • 7. Re: Hidden Item - "Value Protected": When can it's value be changed?
                      Tom Petrus
                      Now you’re gonna make me cry!
                      Oh, didn't you realize that is the reason why we check these forums every day? :-)
                      <vent><b>Question: So these guys that wrote APEX, in there former careers, they were LAWYERS?</b></vent>
                      Unfortunately, no. At least not I.
                      So both JS and PL/SQL succeed in changing their respective values but neither causes a (final?) change in Session State? The first, JS, results in an error while the second, PL/SQL, does not. (To me that's a silent failure -- I wouldn't have changed the value if I did want the change to stick -- and there is little documentation to explain this "feature" as you have explained.)
                      Sure, both succeed, as long as we're not talking within the context of page submission.
                      <b>Question:</b> So as long as I don’t Submit the page, I can continue to change Session State with Dynamic Actions all I want? <b>!!!</b>
                      Yes.
                      <vent><font size=2>It’s no wonder newbies have problems.</font></vent>
                      Everybody encounters problems. I'd say that's good, you learn from them. But only if you're interested in the why and how.
                      <GRIPE><b>There are too many ifs, and ifs, whens, ors, or ifs, whiles, except whens, .... And way too little documentation of "how" features operate.</b></GRIPE> Okay, it is what it is. :( But as I wrote elsewhere: "Web technology is an amalgam of rapidly evolving technologies each with their individual syntax definitions." And semantics! T'aint simple.
                      It's rather ok. I don't find this particular case too hard to understand honestly (personally, I don't mean to belittle!). I can see why you'd be confused about the "protection", but all it actually means to say is that changes made on the client side are prohibited. The checksum is there to accomplish this, but this works at page submit as the checksum item is only submitted then.
                      You can freely alter the value so long as the page is not submitted, simply because there is no checking of checksum.
                      Let's go on a lighter note. I found this on the web -- but I changed a few words.
                      <b>Brilliant Reactive Automated Intelligent Neurological agent (BRAIN) is a rapid web application development tool for brain surgery. Using only a web browser and limited medical experience, you can quickly develop and conduct professional brain surgery that is both fast and effective. BRAIN is a fully supported, no cost feature of the BRAIN Application Pancyclopaedic Eclectic Xerography group.</b>

                      Must remember to love APEX. Must remember to love APEX. Must remember to love APEX. Must remember ...
                      It's a state of mind.