Saturday, September 29, 2007

Corporate sites with javascript and database lookups for consumers: a tip


I’ve noticed that some companies that offer financial or retail services to customers online, when they develop web pages in with javascript, sometimes place hard-coded text content (embedded in javascript functions “newContent” parameters sometimes) that is viewable in browsers under “view source” but that is probably not appropriate for all consumers to see. Sometimes they place all hardcoded content for all possible consumers on one page and really may not want all consumers to see it. It would be more appropriate for this text itself to come from a database and be viewable only to the appropriate visitor or consume. No, I won’t mention any names or misuse any information; I just wanted to pass this on as a programming issue.

Typically most of the pages will do a database call(s) (SQL) to find the information that the consumer requested. Sometimes the database calls are to image index files (images of mainframe documents) and get errors (often security or access-level related), leading to default error messages that are incorrect or misleading. Under “view source” in a browser (IE or Mozilla) the visitor can see his own information from the database and all of the javascript code, include hard-coded text. Companies may really not want visitors to be able to see all of this.

No comments: