[FX.php List] The web password in FX

Gjermund Gusland Thorsen ggt667 at gmail.com
Thu Jan 25 11:48:09 MST 2007


Perhaps this solves your problem?

http://www.file-making.com/tutorial/part5.php

ggt667

On 1/25/07, Andrew Denman <adenman at tmea.org> wrote:
>
>
>
>
> Gary,
>
>
>
> This is an issue I've seen several people on the net complain about, but
> I've never seen anyone provide a good explanation on how to really "fix"
> it.  The problem is everyone has their database passwords in plain text in
> their code files, so all a black hat has to do is get into your files and
> they have free reign of your database.
>
>
>
> The solution is to encrypt your passwords, put the encrypted text in your
> code files, and then decrypt them right before connecting to the database.
> I've searched for help on doing this in the past and there hasn't been much
> out there.  The hard part (especially on hosted websites) is implementing
> this in a way that isn't just a smokescreen.
>
>
>
> I gave up on my past efforts, so I unfortunately don't have any direction to
> point you towards other than what's written above.  If you do find something
> that works please pass it on.
>
>
>
>
> Andrew Denman
>
>  ________________________________
>
>
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of
> Gary Sprung
>  Sent: Thursday, January 25, 2007 12:02 PM
>  To: FX.php Discussion List
>  Subject: Re: [FX.php List] The web password in FX
>
>
>
>
> Ed,
>
>
> I think that does answer my question. It shows how an attacker can get at
> the data without having access to the web directory. I don't think they
> could do more than what that privilege set allows and I definitely turn off
> delete for that account. But the intruder still could alter all the data
> because the web account has to do read/write to allow users to enter data
> via the web.
>
>
>
>
>
> Also, the tip about DEBUG is great! Thanks.
>
>
>
>
>
> GS
>
>
>
>
>
>
> On Jan 25, 2007, at 8:18 AM, Edward L. Ford wrote:
>
>
>
>
>
>
> I always use a strong password because someone can try and attack your
> database without access to the PHP files if they try different passwords
> using a well-formed URL. Try turning on the DEBUG privilege in an FX page:
> you'll see a URL output to the top of your page that looks something like:
>
>
>
>
>
> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>
>
>
>
>
> Using the right URL in a form like that above, you can view the XML dump of
> a record set. Modify that URL in the right way, and you can edit, create,
> delete records -- the commands aren't hard to find with Google.
>
>
>
>
>
> --------
>
>
> Gary Sprung
>
>
> GNURPS Consulting
>
>
>
>
>
> gary at gnurps.com
>
>
> www.gnurps.com
>
>
>
>
>
> Landline: 720-565-9933
>
>
> Cell: 303-859-9331
>
>
>
>
>
>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>


More information about the FX.php_List mailing list