[FX.php List] The web password in FX
Edward L. Ford
elford at cs.bu.edu
Thu Jan 25 08:18:36 MST 2007
GGT: Are these logs automatically kept by the server, or is this
something you've developed?
Gary:
As standard practice, I now create 2 web accounts for all
applications: one that is read only, and another that is R/W. For
each of these, I limit their access only to the fields absolutely
necessary for the PHP part of the app. On the R/W account, I turn
off delete unless that's a needed privilege for the application.
I always use a strong password because someone can try and attack
your database without access to the PHP files if they try different
passwords using a well-formed URL. Try turning on the DEBUG
privilege in an FX page: you'll see a URL output to the top of your
page that looks something like:
http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/
FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
Using the right URL in a form like that above, you can view the XML
dump of a record set. Modify that URL in the right way, and you can
edit, create, delete records -- the commands aren't hard to find with
Google.
Moral of the story: Security is paramount, be more secure than you
think you need to be. Use a good password and well thought out
security privileges in FileMaker to ensure you don't get any nasty
surprises! :-)
--Ed
-----------------------------------
http://www.edwardford.net
On Jan 25, 2007, at 8:04 AM, Gjermund Gusland Thorsen wrote:
> my cwp accounts can only create and update records.
>
> To turn off delete for the cwp user is essential,
> along with logging who makes which changes.
>
> ggt667
>
> On 1/25/07, Gary Sprung <gary at gnurps.com> wrote:
>>
>> All,
>>
>> I have been wondering about the importance of the Filemaker
>> password used in
>> FX in the case of a shared hosting service. In that circumstance,
>> the web
>> directory is the top level. You don't get access to levels about the
>> directory your hosting service gives you, so you cannot put your
>> password
>> into a file in a directory that is inaccessible to the web. So if an
>> intruder can get to your PHP files, then they can get your
>> password. Right?
>>
>> With that in mind, how critical is it to have a complex password;
>> or a
>> password at all? Perhaps the much more important consideration is the
>> privileges granted in Filemaker to that account/password used by the
>> PHP/FX/Filemaker system. One of course limits access to only relevant
>> layouts; does not allow editing of scripts, or perhaps not even
>> executing;
>> XML extended privileges only; etc. But the password itself...
>> Isn't it no
>> more secure than your web directory is secure?
>>
>> Regards,
>> Gary
>>
>>
>> --------
>> Gary Sprung
>> GNURPS Consulting
>>
>> gary at gnurps.com
>> www.gnurps.com
>>
>> Landline: 720-565-9933
>> Cell: 303-859-9331
>>
>>
>>
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/b176986a/attachment-0001.html
More information about the FX.php_List
mailing list