[FX.php List] [OFF] Filemaker Web Security?

Gjermund Gusland Thorsen ggt667 at gmail.com
Sat Sep 6 14:04:07 MDT 2008 

The clue is to have your php files on a separate server than the FileMaker WPE

ggt

2008/9/6 Joel Shapiro <jsfmp at earthlink.net>:
> hmm... Can you say any more about that?
>
> Is XML-RPC installed by default in PHP?  It looks like it might need to be
> installed separately.
>
> Also, one site I looked at said the vulnerability through XML-RPC was still
> SQL injection attacks... so if there's no SQL in a FM/PHP solution, what's
> the risk?
>
> -Joel
>
>
> On Sep 6, 2008, at 12:04 AM, Gjermund Gusland Thorsen wrote:
>
>> It's is simple to avoid "FileMaker XML RPC injections" you make sure
>> WPE and web server is on 2 different machines, and you block access to
>> WPE from the outside world, but open for the web server.
>>
>> ggt
>>
>> 2008/9/6 Dale Bengston <dbengston at tds.net>:
>>>
>>> Yes. Besides the malicious use of "sql injections" and such, people copy
>>> text from word files, emails, and just about everywhere else and paste it
>>> in
>>> your input fields. (This is a good thing - people shouldn't have to
>>> re-type.) If they have curly quotes, or other high-ascii stuff, and their
>>> document uses different encoding than your site, weird things can result.
>>> Better to catch it and wash the data before it hits your tables.
>>>
>>> Dale
>>>
>>> On Sep 5, 2008, at 2:21 PM, Joel Shapiro wrote:
>>>
>>>> As to my question "Do people here do that on *all* submittable
>>>> fields?...", the "that" I'd meant was filtering the fields in PHP before
>>>> submission to FM, e.g. using  htmlentities(), strip_tags(), etc.  Do
>>>> people
>>>> do *that* on all submittable fields?
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

More information about the FX.php_List mailing list