[FX.php List] Security Concerns
Gjermund Gusland Thorsen
ggt667 at gmail.com
Fri Jan 26 03:03:15 MST 2007
You need to have https only access to the domain that deals with credit cards
such as https://store.apple.com
The rest of the page can be http://www.apple.com
ggt667
On 1/25/07, Joel Shapiro <jsfmp at earthlink.net> wrote:
> Thanks Jonathan. Yes, that's what I'm referring to -- and my
> confusion came from David's post, where it seems he's concerned about
> credit card numbers that are stored in his FM DB.
>
> I would, however, ask for the distinction between database data and
> data on a web page (displayed or hidden) ["hardcoded" doesn't make
> sense to me in this situation]
>
> Thanks,
> -Joel
>
>
> On Jan 25, 2007, at 12:56 PM, Jonathan Schwartz wrote:
>
> > I know what Joel is referring to, and it is the same question that
> > I am asking myself as this thread progresses.
> >
> > The original post had to do with concerns that bots could find
> > *hard coded data* appearing on an html web page...email addresses.
> > Right? The answer is/was "yes", unless you take steps
> > described...and even then..."maybe".
> >
> > However, the thread migrated to bots being able to send queries to
> > FileMaker to harvest sensitive data. These are two different
> > things entirely.
> >
> > In the last case the Ed describes, this is hard-coded data, albeit
> > "hidden". Hidden data is available to anyone that know how to use
> > the View Source option.
> >
> > Can we make the distinction between database data and hardcoded data?
> >
> > ...unless I'm totally off base. ;-)
> >
> > Jonathan
> >
> >> I'm not sure what Joel exactly means here -- I'm thinking putting
> >> data from FileMaker in a hidden HTML text field, in which case,
> >> bots can certainly see the data -- all anyone needs to do is view
> >> the page source to see the "hidden" data. For any sort of data
> >> you need to have persistent in your application but don't want
> >> displayed, PHP sessions are probably the best solution.
> >>
> >> And David, if you're processing credit card data, Andrew's
> >> suggestion seems to be a good one, but you absolutely should have
> >> the connection to your FileMaker server over SSL (not plain HTTP
> >> on port 80) to avoid the data from being sniffed between the PHP
> >> app and the FileMaker server. I've never used SSL with Filemaker,
> >> so I can't be of more assistance than that.
> >>
> >> --Ed
> >> -----------------------------------
> >> http://www.edwardford.net
> >>
> >> On Jan 25, 2007, at 3:22 PM, Joel Shapiro wrote:
> >>
> >>> Maybe a dumb question, but...
> >>>
> >>> If a web form sends data (email, cred card...) to a FileMaker
> >>> field but that field's contents are nowhere displayed on the
> >>> website, can bots still see the data in that field? (I had
> >>> thought Ed's concern over bots was because the emails *are*
> >>> displayed on his website)
> >>>
> >>> -Joel
> >>>
> >>>
> >>> On Jan 25, 2007, at 12:14 PM, Andrew Denman wrote:
> >>>
> >>>> David,
> >>>>
> >>>> You will have to test this, but you could make one account that
> >>>> can only create records (no viewing, access to all fields) and
> >>>> use that to write to the database. A separate account would be
> >>>> used to retrieve records, and it would be denied access to
> >>>> fields you want to hide.
> >>>>
> >>>>
> >>>>
> >>>> Andrew Denman
> >>>>
> >>>>
> >>>> From: fx.php_list-bounces at mail.iviking.org [mailto:fx.php_list-
> >>>> bounces at mail.iviking.org] On Behalf Of David Tinoco
> >>>> Sent: Thursday, January 25, 2007 1:38 PM
> >>>> To: fx.php_list at mail.iviking.org
> >>>> Subject: [FX.php List] Security Concerns
> >>>>
> >>>>
> >>>>
> >>>> Well guys, this scares me now, as I was planning to design a
> >>>> secure page that took a customer's credit card information and
> >>>> stored it only for a few hours in FM until the sales rep
> >>>> transferred it to a secure "internetless" computer.
> >>>>
> >>>> But I realized that in order to have create and view access, you
> >>>> obviously must have read access, right?
> >>>>
> >>>> So couldn't anyone theoretically lookup any credit card number
> >>>> while it hadn't been transferred?
> >>>>
> >>>> Any help with suggestions would be great.
> >>>>
> >>>> David
> >>>>
> >>>> Get into the holiday spirit, chat with Santa on Messenger. Ho-
> >>>> Ho-Ho!
> >>>>
> >>>> _______________________________________________
> >>>> FX.php_List mailing list
> >>>> FX.php_List at mail.iviking.org
> >>>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>
> >>> _______________________________________________
> >>> FX.php_List mailing list
> >>> FX.php_List at mail.iviking.org
> >>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>
> >>
> >> _______________________________________________
> >> FX.php_List mailing list
> >> FX.php_List at mail.iviking.org
> >> http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> >
> > --
> >
> > Jonathan Schwartz
> > FileMaker 8 Certified Developer
> > Associate Member, FileMaker Solutions Alliance
> > Schwartz & Company
> > jonathan at eschwartz.com
> > http://www.eschwartz.com
> > http://www.exit445.com
> > 415-381-1852
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
More information about the FX.php_List
mailing list