[FX.php List] Security Concerns with FileMaker Website

Chris Hansen chris at iViking.org
Wed Jan 24 11:23:40 MST 2007 

Edward,

Here's my take: strike a balance between security and ease of use  
based on the needs of your solution.  It sounds like you're heading  
that way, but it's very hard for anyone else to make that decision  
for you.  Yes, there are some really nasty bots out there, but the  
more you do to combat the bots, the more levels of hairiness you  
introduce into your system.  Of course login, which can use sessions,  
makes a site reasonably easy for people, but next to impossible for a  
bot.  On the other hand, it does limit your audience (which you've  
stated isn't an option for you.)

Simply checking sessions WILL stop some bots.  Obfuscating the URL  
using JavaScript adds another level of protection.  Creating an image  
and/or sound file containing the address is another option, but  
begins to become tiresome to the user (how many of us REALLY like  
these things when we encounter them ;-)  And, most importantly, none  
of these (with the exception of very solid authentication) are  
foolproof; someone will find a way around them, if they haven't  
already.  On the other hand, a contact form does keep others from  
grabbing a person's email, however it means that those who may  
legitimately need that address can't get to it either.  But don't  
panic, decide what you're willing to do, and what you feel you can  
give up, and aim there.  I'd be interested in seeing your final  
decision posted to the list (i.e. this is what I decided I needed,  
and here's how I did it.)  This is a common enough situation that I  
think lots of folks would benefit.  From what you've said, I think  
the contact form may be your best option, but that's just my opinion.

HTH

And now for some house cleaning...

First off, Steven, two things:

1) I would guess that the code below is not Gjermund's system per  
se.  Rather, if you examine the thread you'll note that he was  
attempting to provide example code for a prior suggestion that had  
failed to do so (an admirable act, and very appropriate to the  
list.)  It looks to me like code that was pulled out of his head.

2) If you read the code that Gjermund did pass along you'll note this  
line:

header( "Location: /index.php?status=log_on" );

So yes, I'd say that he was assuming a system with a log in.   
(Gjermund, correct me if I am mistaken here.)

Gjermund, if you reread through Steven's response, you'll realize  
that he hadn't fully read or perhaps understood your response.  (I'd  
say you also failed to carefully read his.)  People often have  
different assumptions and experience that will affect how they  
understand what is said.

There's no reason to jump all over each other.  Each of you has taken  
an approach that WOULD work in some situations, but neither approach  
works everywhere.  Gjermund was a hair's breadth away from creating  
the equivalent of FX.php back in 2001 when he came across it and  
realized he didn't have too.  Steven has a couple of years of PHP  
under his belt as well.  Try to respect each other's knowledge, even  
if you don't like each other.

Best,

--Chris Hansen
   FileMaker 8 Certified Developer
   FileMaker 7 Certified Developer
   Creator of FX.php
   "The best way from FileMaker to the Web."
   www.iViking.org


On Jan 24, 2007, at 9:12 AM, Stephen Knight wrote:

> Hi Gjermund,
>
> You actually did not explain your full technique regarding the keys  
> and
> simply suggested that sessions would work. Would you care  
> explaining where
> the user gets the correct key from? If they have to enter the key  
> based from
> their previous knowledge of the system then it becomes a login  
> system (good
> way to protect private data against bots, no doubt there), but  
> otherwise you
> suggested that a key is put into the session by PHP at one page and  
> examined
> on the next which I do not see how would affect a cookie passing bot.
>
>
>
> In Kindness
> Stephen K Knight
> http://www.fmwebschool.com
> 800.353.7950 / 386.453.5843
> FMWebschool, we bring the web to life
> FX.PHP PHP XML MySQL CDML ASP
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund  
> Gusland
> Thorsen
> Sent: Wednesday, January 24, 2007 10:54 AM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Security Concerns with FileMaker Website
>
> Ehh, how are the bots able to but the correct key in the session?!?
>
> Does bots come with brute force techniques these days Mr Knight?!?
>
> ggt667
>
> On 1/24/07, Stephen  Knight <stephen at fmwebschool.com> wrote:
>> Hi,
>>
>> Sessions are actually far from being faultproof - if you do not  
>> have a
>> login but do require a session to proceed then the bot can easily
>> carry your session through. For example the use of cURL is very
>> popular in recent bots and curl includes a one line option to turn on
>> a "cookie jar" which will collect and pass along any session cookies
>> that you assigned to it on one page to the next. It might stop some
>> older less intellegent bots but these days it is very easy to pass
>> along cookies - and I would not be surprised if within a year or two
>> we will start seeing full blown JS enabled bots which will parse  
>> the JS on
> the current pages in order to extract obfuscated data.
>>
>>
>>
>> In Kindness
>> Stephen K Knight
>> http://www.fmwebschool.com
>> 800.353.7950 / 386.453.5843
>> FMWebschool, we bring the web to life
>> FX.PHP PHP XML MySQL CDML ASP
>>
>> -----Original Message-----
>> From: fx.php_list-bounces at mail.iviking.org
>> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund
>> Gusland Thorsen
>> Sent: Wednesday, January 24, 2007 10:29 AM
>> To: FX.php Discussion List
>> Subject: Re: [FX.php List] Security Concerns with FileMaker Website
>>
>> I assume you do something like this:
>>
>> <?
>> session_start();
>> include_once( $_SERVER['DOCUMENT_ROOT'] . "/projectkey.php" ); if(
>> $key1 !=
>> $key2 ) {
>>         header( "Location: /index.php?status=log_on" );
>>         exit;
>> }
>>
>> ggt667
>>
>> On 1/24/07, Jonathan Schwartz <jonathan at eschwartz.com> wrote:
>>>
>>>
>>> I have also noticed the bots because I am logging every arrival to
>>> my fx.php pages for development and customer support resaons.
>>>
>>>
>>> In my solutions, I am using sessions. Without a current session, the
>>> page never gets past the session check on line 3.  The "user" is
>>> redirected to the start page to either log in or to start the
>>> process
>> (whatever it is).
>>>
>>>
>>> So, the bot might hit the page, but never sees data.
>>>
>>>
>>> Works for me, but YMMV.
>>>
>>>
>>> Hope that helps.
>>>
>>>
>>> Jonathan
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hello everyone,
>>> In the past hour, I've done some analysis of various logs and
>>> emails, and I've come to a chilling realization that I've never had
>>> before about bots harvesting information from websites -- I knew it
>>> happened, but I never knew the scope of the problem until tonight --
>>> and this is a
>> low traffic website!
>>>
>>>
>>> So, I have a website which contains a public listing of email
>>> addresses and websites from a FileMaker database.  I want to stop
>>> unknown bots from crawling the site.  All of the data comes out of
>>> FileMaker, nicely formatted as links for the end user's clicking
>>> convenience.  I have a solution to fix email addresses from being
>>> harvested, but I was wondering if anyone knows of a way to prevent
>>> website addresses from being harvested, but still clickable as a
>> hyperlink.
>>>
>>>
>>> I thought maybe a PHP redirect link, like redirect.php?id=16 where
>>> redirect puts a user at the website listed in record 16, but once
>>> the PHP is all said and done, we're still at the linked website, so
>>> that doesn't really prevent anything from being harvested.
>>>
>>>
>>> Is there a way to maybe detect is a link was actually clicked by a
>>> person, and not just passed through by an automated bot?  PHP is
>>> preferable for such a solution -- JavaScript is too easy to turn  
>>> off.
>>> Or, is there a way to specify that only bots from places like
>>> Google, Live, and Yahoo are allowed to crawl the site?
>>>
>>>
>>> Hopefully my predicament is clear.  I need to solve this ASAP...
>>>
>>>
>>> --Ed
>>> ---------------------
>>> http://www.edwardford.net
>>>
>>>
>>>
>>>
>>>
>>>  _______________________________________________
>>>  FX.php_List mailing list
>>>  FX.php_List at mail.iviking.org
>>>  http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>>
>>>
>>>  --
>>>
>>>
>>>
>>> Jonathan Schwartz
>>> FileMaker 8 Certified  Developer
>>> Associate Member, FileMaker Solutions Alliance Schwartz & Company
>>> jonathan at eschwartz.com http://www.eschwartz.com
>>> http://www.exit445.com
>>> 415-381-1852
>>>
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>>
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

More information about the FX.php_List mailing list