[FX.php List] The web password in FX

Troy Meyers tcmeyers at troymeyers.com
Sun Jan 28 16:48:51 MST 2007


Ed,

I'm new to all this, having recently come from the FileMaker 6 and CDML world, and this is confusing to me. From the studying I've been doing, it seemed like a bad guy wouldn't be able to get malicious access using the-- http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName  --sort of method unless the fmxml extended privilege was enabled in the FileMaker file? Can't you just disable that to prevent access using XML methods, password or not? Don't you only need the fmphp extended privilege for the PHP script (defined by you, not any external person) to get/create the allowed FileMaker data?

-Troy

Ed Ford wrote:


> GGT: Are these logs automatically kept by the server, or is this  
> something you've developed?
> 
> Gary:
> 
> As standard practice, I now create 2 web accounts for all  
> applications: one that is read only, and another that is R/W.  For  
> each of these, I limit their access only to the fields absolutely  
> necessary for the PHP part of the app.  On the R/W account, I turn   off
> delete unless that's a needed privilege for the application.
> 
> I always use a strong password because someone can try and attack   your
> database without access to the PHP files if they try different  
> passwords using a well-formed URL.  Try turning on the DEBUG   privilege
> in an FX page: you'll see a URL output to the top of your   page that
> looks something like:
> 
> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/ 
> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
> 
> Using the right URL in a form like that above, you can view the XML  
> dump of a record set.  Modify that URL in the right way, and you can  
> edit, create, delete records -- the commands aren't hard to find with  
> Google.
> 
> Moral of the story: Security is paramount, be more secure than you  
> think you need to be. Use a good password and well thought out  
> security privileges in FileMaker to ensure you don't get any nasty  
> surprises!  :-)
> 
> --Ed



More information about the FX.php_List mailing list