Prompt SQL action via mail

  • Thread starter Thread starter Rob Oldfield
  • Start date Start date
R

Rob Oldfield

Hi,

I'm working on a VB app that links in to our personnel db to control holiday
requests. The idea is that a user can go into the app, enter some dates
that they want holiday for, with that then passed to their manager for
approval. My original thinking was that the request would generate a mail
to the manager saying "Bert wants August off", allowing the manager to go
into the app, review if anyone else has the period booked etc, and approve
(or not) the request.

But.... if the manager immediately knows that a particular request is going
to be OK... I'm thinking that it would be more efficient to allow the
manager to approve the request by acting on the mail they get. Either by
clicking a button within it, or replying/forwarding the message. Or
something.

So... does anyone have any idea on the best way of doing this? What event
can I generate from whatever the manager does with the mail that will be
detectable (probably by a service running on a server somewhere)?

Hope thats clear. Any suggestions gratefully received.
 
You could just embed a hyperlink that points to an ASP.Net web page and put
any additional context information you need as parameters to the URL.

Regards,

Andrew Elmhorst
 
Yes. I thought of that soon after I posted it. Trouble with that is that
if I set up a page that accepts the parameter of a HolidayID which it then
uses in an SQL statement, then potentially someone could override it and
edit an ID before following the link. I might be being paranoid but I'd
prefer something that limits it to the person who actually gets the mail (or
that is too complicated for the 'above average user - that guy who always
messes with things' to figure out)
 
Yes. I thought of that soon after I posted it. Trouble with that is that
if I set up a page that accepts the parameter of a HolidayID which it then
uses in an SQL statement, then potentially someone could override it and
edit an ID before following the link. I might be being paranoid but I'd
prefer something that limits it to the person who actually gets the mail (or
that is too complicated for the 'above average user - that guy who always
messes with things' to figure out)
Click to expand...

This is commonly avoided by creating an alternate candidate key to the
HolidayID. Create a new char field in the Holiday table that is filled with some
unique string, perhaps a function of the ID with a checkdigit, and use that as
the parameter. This will prevent someone from easily guessing an ID.
 
Back
Top