[FX.php List] Security Concerns

Jonathan Schwartz jonathan at eschwartz.com
Thu Jan 25 13:56:48 MST 2007 

I know what Joel is referring to, and it is the same question that I 
am asking myself as this thread progresses.

The original post had to do with concerns that bots could find *hard 
coded data* appearing on an html web page...email addresses.  Right? 
The answer is/was "yes", unless you take steps described...and even 
then..."maybe".

However, the thread migrated to bots being able to send queries to 
FileMaker to harvest sensitive data.  These are two different things 
entirely.

In the last case the Ed describes, this is hard-coded data, albeit 
"hidden".  Hidden data is available to anyone that know how to use 
the View Source option.

Can we make the distinction between database data and hardcoded data?

...unless I'm totally off base. ;-)

Jonathan

>I'm not sure what Joel exactly means here -- I'm thinking putting 
>data from FileMaker in a hidden HTML text field, in which case, bots 
>can certainly see the data -- all anyone needs to do is view the 
>page source to see the "hidden" data.  For any sort of data you need 
>to have persistent in your application but don't want displayed, PHP 
>sessions are probably the best solution.
>
>
>And David, if you're processing credit card data, Andrew's 
>suggestion seems to be a good one, but you absolutely should have 
>the connection to your FileMaker server over SSL (not plain HTTP on 
>port 80) to avoid the data from being sniffed between the PHP app 
>and the FileMaker server.  I've never used SSL with Filemaker, so I 
>can't be of more assistance than that.
>
>--Ed
>-----------------------------------
><http://www.edwardford.net>http://www.edwardford.net
>
>On Jan 25, 2007, at 3:22 PM, Joel Shapiro wrote:
>
>>Maybe a dumb question, but...
>>
>>If a web form sends data (email, cred card...) to a FileMaker field 
>>but that field's contents are nowhere displayed on the website, can 
>>bots still see the data in that field?  (I had thought Ed's concern 
>>over bots was because the emails *are* displayed on his website)
>>
>>-Joel
>>
>>
>>On Jan 25, 2007, at 12:14 PM, Andrew Denman wrote:
>>
>>>David,
>>>
>>>You will have to test this, but you could make one account that 
>>>can only create records (no viewing, access to all fields) and use 
>>>that to write to the database.  A separate account would be used 
>>>to retrieve records, and it would be denied access to fields you 
>>>want to hide.
>>>
>>>
>>>
>>>Andrew Denman
>>>
>>>
>>>From: fx.php_list-bounces at mail.iviking.org 
>>>[<mailto:fx.php_list-bounces at mail.iviking.org>mailto:fx.php_list-bounces at mail.iviking.org] 
>>>On Behalf Of David Tinoco
>>>Sent: Thursday, January 25, 2007 1:38 PM
>>>To: <mailto:fx.php_list at mail.iviking.org>fx.php_list at mail.iviking.org
>>>Subject: [FX.php List] Security Concerns
>>>
>>>
>>>
>>>Well guys, this scares me now, as I was planning to design a 
>>>secure page that took a customer's credit card information and 
>>>stored it only for a few hours in FM until the sales rep 
>>>transferred it to a secure "internetless" computer.
>>>
>>>But I realized that in order to have create and view access, you 
>>>obviously must have read access, right?
>>>
>>>So couldn't anyone theoretically lookup any credit card number 
>>>while it hadn't been transferred?
>>>
>>>Any help with suggestions would be great.
>>>
>>>David
>>>
>>>Get into the holiday spirit, chat with Santa on Messenger.  Ho-Ho-Ho!
>>>
>>>_______________________________________________
>>>FX.php_List mailing list
>>><mailto:FX.php_List at mail.iviking.org>FX.php_List at mail.iviking.org
>>><http://www.iviking.org/mailman/listinfo/fx.php_list>http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>
>>_______________________________________________
>>FX.php_List mailing list
>><mailto:FX.php_List at mail.iviking.org>FX.php_List at mail.iviking.org
>><http://www.iviking.org/mailman/listinfo/fx.php_list>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 

Jonathan Schwartz
FileMaker 8 Certified  Developer
Associate Member, FileMaker Solutions Alliance
Schwartz & Company
jonathan at eschwartz.com
http://www.eschwartz.com
http://www.exit445.com
415-381-1852
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/b2e4d4bb/attachment.html

More information about the FX.php_List mailing list