[FX.php List] The web password in FX

Gjermund Gusland Thorsen ggt667 at gmail.com
Thu Jan 25 09:43:08 MST 2007


I make my own table for logging web activity, so for every page I do a
FMNew() in the log file at least until the solution really works.

ggt667

On 1/25/07, Edward L. Ford <elford at cs.bu.edu> wrote:
>
> GGT: Are these logs automatically kept by the server, or is this something
> you've developed?
>
>
> Gary:
> As standard practice, I now create 2 web accounts for all applications: one
> that is read only, and another that is R/W.  For each of these, I limit
> their access only to the fields absolutely necessary for the PHP part of the
> app.  On the R/W account, I turn off delete unless that's a needed privilege
> for the application.
>
> I always use a strong password because someone can try and attack your
> database without access to the PHP files if they try different passwords
> using a well-formed URL.  Try turning on the DEBUG privilege in an FX page:
> you'll see a URL output to the top of your page that looks something like:
>
> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>
> Using the right URL in a form like that above, you can view the XML dump of
> a record set.  Modify that URL in the right way, and you can edit, create,
> delete records -- the commands aren't hard to find with Google.
>
> Moral of the story: Security is paramount, be more secure than you think you
> need to be. Use a good password and well thought out security privileges in
> FileMaker to ensure you don't get any nasty surprises!  :-)
> --Ed
>
> -----------------------------------
> http://www.edwardford.net
>
>
> On Jan 25, 2007, at 8:04 AM, Gjermund Gusland Thorsen wrote:
>
> my cwp accounts can only create and update records.
>
> To turn off delete for the cwp user is essential,
> along with logging who makes which changes.
>
> ggt667
>
> On 1/25/07, Gary Sprung <gary at gnurps.com> wrote:
>
> All,
>
> I have been wondering about the importance of the Filemaker password used in
> FX in the case of a shared hosting service. In that circumstance, the web
> directory is the top level. You don't get access to levels about the
> directory your hosting service gives you, so you cannot put your password
> into a file in a directory that is inaccessible to the web. So if an
> intruder can get to your PHP files, then they can get your password. Right?
>
> With that in mind, how critical is it to have a complex password; or a
> password at all? Perhaps the much more important consideration is the
> privileges granted in Filemaker to that account/password used by the
> PHP/FX/Filemaker system. One of course limits access to only relevant
> layouts; does not allow editing of scripts, or perhaps not even executing;
> XML extended privileges only; etc. But the password itself... Isn't it no
> more secure than your web directory is secure?
>
> Regards,
> Gary
>
>
> --------
> Gary Sprung
> GNURPS Consulting
>
> gary at gnurps.com
> www.gnurps.com
>
> Landline: 720-565-9933
> Cell: 303-859-9331
>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>


More information about the FX.php_List mailing list