[FX.php List] [OFF] Filemaker Web Security?

Joel Shapiro jsfmp at earthlink.net
Sat Sep 6 12:55:38 MDT 2008


hmm... Can you say any more about that?

Is XML-RPC installed by default in PHP?  It looks like it might need  
to be installed separately.

Also, one site I looked at said the vulnerability through XML-RPC was  
still SQL injection attacks... so if there's no SQL in a FM/PHP  
solution, what's the risk?

-Joel


On Sep 6, 2008, at 12:04 AM, Gjermund Gusland Thorsen wrote:

> It's is simple to avoid "FileMaker XML RPC injections" you make sure
> WPE and web server is on 2 different machines, and you block access to
> WPE from the outside world, but open for the web server.
>
> ggt
>
> 2008/9/6 Dale Bengston <dbengston at tds.net>:
>> Yes. Besides the malicious use of "sql injections" and such,  
>> people copy
>> text from word files, emails, and just about everywhere else and  
>> paste it in
>> your input fields. (This is a good thing - people shouldn't have to
>> re-type.) If they have curly quotes, or other high-ascii stuff,  
>> and their
>> document uses different encoding than your site, weird things can  
>> result.
>> Better to catch it and wash the data before it hits your tables.
>>
>> Dale
>>
>> On Sep 5, 2008, at 2:21 PM, Joel Shapiro wrote:
>>
>>> As to my question "Do people here do that on *all* submittable
>>> fields?...", the "that" I'd meant was filtering the fields in PHP  
>>> before
>>> submission to FM, e.g. using  htmlentities(), strip_tags(), etc.   
>>> Do people
>>> do *that* on all submittable fields?
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list