[FX.php List] Security Concerns

Joel Shapiro jsfmp at earthlink.net
Thu Jan 25 14:15:22 MST 2007


Thanks Jonathan.  Yes, that's what I'm referring to -- and my  
confusion came from David's post, where it seems he's concerned about  
credit card numbers that are stored in his FM DB.

I would, however, ask for the distinction between database data and  
data on a web page (displayed or hidden)  ["hardcoded" doesn't make  
sense to me in this situation]

Thanks,
-Joel


On Jan 25, 2007, at 12:56 PM, Jonathan Schwartz wrote:

> I know what Joel is referring to, and it is the same question that  
> I am asking myself as this thread progresses.
>
> The original post had to do with concerns that bots could find  
> *hard coded data* appearing on an html web page...email addresses.   
> Right?  The answer is/was "yes", unless you take steps  
> described...and even then..."maybe".
>
> However, the thread migrated to bots being able to send queries to  
> FileMaker to harvest sensitive data.  These are two different  
> things entirely.
>
> In the last case the Ed describes, this is hard-coded data, albeit  
> "hidden".  Hidden data is available to anyone that know how to use  
> the View Source option.
>
> Can we make the distinction between database data and hardcoded data?
>
> ...unless I'm totally off base. ;-)
>
> Jonathan
>
>> I'm not sure what Joel exactly means here -- I'm thinking putting  
>> data from FileMaker in a hidden HTML text field, in which case,  
>> bots can certainly see the data -- all anyone needs to do is view  
>> the page source to see the "hidden" data.  For any sort of data  
>> you need to have persistent in your application but don't want  
>> displayed, PHP sessions are probably the best solution.
>>
>> And David, if you're processing credit card data, Andrew's  
>> suggestion seems to be a good one, but you absolutely should have  
>> the connection to your FileMaker server over SSL (not plain HTTP  
>> on port 80) to avoid the data from being sniffed between the PHP  
>> app and the FileMaker server.  I've never used SSL with Filemaker,  
>> so I can't be of more assistance than that.
>>
>> --Ed
>> -----------------------------------
>> http://www.edwardford.net
>>
>> On Jan 25, 2007, at 3:22 PM, Joel Shapiro wrote:
>>
>>> Maybe a dumb question, but...
>>>
>>> If a web form sends data (email, cred card...) to a FileMaker  
>>> field but that field's contents are nowhere displayed on the  
>>> website, can bots still see the data in that field?  (I had  
>>> thought Ed's concern over bots was because the emails *are*  
>>> displayed on his website)
>>>
>>> -Joel
>>>
>>>
>>> On Jan 25, 2007, at 12:14 PM, Andrew Denman wrote:
>>>
>>>> David,
>>>>
>>>> You will have to test this, but you could make one account that  
>>>> can only create records (no viewing, access to all fields) and  
>>>> use that to write to the database.  A separate account would be  
>>>> used to retrieve records, and it would be denied access to  
>>>> fields you want to hide.
>>>>
>>>>
>>>>
>>>> Andrew Denman
>>>>
>>>>
>>>> From: fx.php_list-bounces at mail.iviking.org [mailto:fx.php_list- 
>>>> bounces at mail.iviking.org] On Behalf Of David Tinoco
>>>> Sent: Thursday, January 25, 2007 1:38 PM
>>>> To: fx.php_list at mail.iviking.org
>>>> Subject: [FX.php List] Security Concerns
>>>>
>>>>
>>>>
>>>> Well guys, this scares me now, as I was planning to design a  
>>>> secure page that took a customer's credit card information and  
>>>> stored it only for a few hours in FM until the sales rep  
>>>> transferred it to a secure "internetless" computer.
>>>>
>>>> But I realized that in order to have create and view access, you  
>>>> obviously must have read access, right?
>>>>
>>>> So couldn't anyone theoretically lookup any credit card number  
>>>> while it hadn't been transferred?
>>>>
>>>> Any help with suggestions would be great.
>>>>
>>>> David
>>>>
>>>> Get into the holiday spirit, chat with Santa on Messenger.  Ho- 
>>>> Ho-Ho!
>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> --
>
> Jonathan Schwartz
> FileMaker 8 Certified  Developer
> Associate Member, FileMaker Solutions Alliance
> Schwartz & Company
> jonathan at eschwartz.com
> http://www.eschwartz.com
> http://www.exit445.com
> 415-381-1852
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list