[FX.php List] Security Concerns

Edward L. Ford elford at cs.bu.edu
Thu Jan 25 13:32:33 MST 2007


I'm not sure what Joel exactly means here -- I'm thinking putting  
data from FileMaker in a hidden HTML text field, in which case, bots  
can certainly see the data -- all anyone needs to do is view the page  
source to see the "hidden" data.  For any sort of data you need to  
have persistent in your application but don't want displayed, PHP  
sessions are probably the best solution.

And David, if you're processing credit card data, Andrew's suggestion  
seems to be a good one, but you absolutely should have the connection  
to your FileMaker server over SSL (not plain HTTP on port 80) to  
avoid the data from being sniffed between the PHP app and the  
FileMaker server.  I've never used SSL with Filemaker, so I can't be  
of more assistance than that.

--Ed
-----------------------------------
http://www.edwardford.net

On Jan 25, 2007, at 3:22 PM, Joel Shapiro wrote:

> Maybe a dumb question, but...
>
> If a web form sends data (email, cred card...) to a FileMaker field  
> but that field's contents are nowhere displayed on the website, can  
> bots still see the data in that field?  (I had thought Ed's concern  
> over bots was because the emails *are* displayed on his website)
>
> -Joel
>
>
> On Jan 25, 2007, at 12:14 PM, Andrew Denman wrote:
>
>> David,
>>
>> You will have to test this, but you could make one account that  
>> can only create records (no viewing, access to all fields) and use  
>> that to write to the database.  A separate account would be used  
>> to retrieve records, and it would be denied access to fields you  
>> want to hide.
>>
>>
>>
>> Andrew Denman
>>
>>
>> From: fx.php_list-bounces at mail.iviking.org [mailto:fx.php_list- 
>> bounces at mail.iviking.org] On Behalf Of David Tinoco
>> Sent: Thursday, January 25, 2007 1:38 PM
>> To: fx.php_list at mail.iviking.org
>> Subject: [FX.php List] Security Concerns
>>
>>
>>
>> Well guys, this scares me now, as I was planning to design a  
>> secure page that took a customer's credit card information and  
>> stored it only for a few hours in FM until the sales rep  
>> transferred it to a secure "internetless" computer.
>>
>> But I realized that in order to have create and view access, you  
>> obviously must have read access, right?
>>
>> So couldn't anyone theoretically lookup any credit card number  
>> while it hadn't been transferred?
>>
>> Any help with suggestions would be great.
>>
>> David
>>
>> Get into the holiday spirit, chat with Santa on Messenger.  Ho-Ho-Ho!
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/0dfd48ab/attachment.html


More information about the FX.php_List mailing list