[FX.php List] The web password in FX

Edward L. Ford elford at cs.bu.edu
Thu Jan 25 08:18:36 MST 2007


GGT: Are these logs automatically kept by the server, or is this  
something you've developed?

Gary:
As standard practice, I now create 2 web accounts for all  
applications: one that is read only, and another that is R/W.  For  
each of these, I limit their access only to the fields absolutely  
necessary for the PHP part of the app.  On the R/W account, I turn  
off delete unless that's a needed privilege for the application.

I always use a strong password because someone can try and attack  
your database without access to the PHP files if they try different  
passwords using a well-formed URL.  Try turning on the DEBUG  
privilege in an FX page: you'll see a URL output to the top of your  
page that looks something like:

http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/ 
FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName

Using the right URL in a form like that above, you can view the XML  
dump of a record set.  Modify that URL in the right way, and you can  
edit, create, delete records -- the commands aren't hard to find with  
Google.

Moral of the story: Security is paramount, be more secure than you  
think you need to be. Use a good password and well thought out  
security privileges in FileMaker to ensure you don't get any nasty  
surprises!  :-)
--Ed

-----------------------------------
http://www.edwardford.net

On Jan 25, 2007, at 8:04 AM, Gjermund Gusland Thorsen wrote:

> my cwp accounts can only create and update records.
>
> To turn off delete for the cwp user is essential,
> along with logging who makes which changes.
>
> ggt667
>
> On 1/25/07, Gary Sprung <gary at gnurps.com> wrote:
>>
>> All,
>>
>> I have been wondering about the importance of the Filemaker  
>> password used in
>> FX in the case of a shared hosting service. In that circumstance,  
>> the web
>> directory is the top level. You don't get access to levels about the
>> directory your hosting service gives you, so you cannot put your  
>> password
>> into a file in a directory that is inaccessible to the web. So if an
>> intruder can get to your PHP files, then they can get your  
>> password. Right?
>>
>> With that in mind, how critical is it to have a complex password;  
>> or a
>> password at all? Perhaps the much more important consideration is the
>> privileges granted in Filemaker to that account/password used by the
>> PHP/FX/Filemaker system. One of course limits access to only relevant
>> layouts; does not allow editing of scripts, or perhaps not even  
>> executing;
>> XML extended privileges only; etc. But the password itself...  
>> Isn't it no
>> more secure than your web directory is secure?
>>
>> Regards,
>> Gary
>>
>>
>> --------
>> Gary Sprung
>> GNURPS Consulting
>>
>> gary at gnurps.com
>> www.gnurps.com
>>
>> Landline: 720-565-9933
>> Cell: 303-859-9331
>>
>>
>>
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/b176986a/attachment-0001.html


More information about the FX.php_List mailing list