[FX.php List] The web password in FX
Edward L. Ford
elford at cs.bu.edu
Mon Jan 29 08:42:05 MST 2007
My understanding based on the FileMaker documentation is that if a
privilege set is turned off, then the data in the database is
unavailable through that method -- so turning off fmxml would indeed
prevent XML access through a URL like I specified.
However, I'm not sure what you mean by the 'fmphp' extended
privilege, because I'm not aware of such a privilege, unless this is
something new with FileMaker's new public API for PHP, which I have
not tried.
--Ed
-----------------------------------
http://www.edwardford.net
On Jan 28, 2007, at 6:48 PM, Troy Meyers wrote:
> Ed,
>
> I'm new to all this, having recently come from the FileMaker 6 and
> CDML world, and this is confusing to me. From the studying I've
> been doing, it seemed like a bad guy wouldn't be able to get
> malicious access using the-- http://
> WebUserAccount:Password at filemaker.server.com:80/fmi/xml/
> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName --sort of
> method unless the fmxml extended privilege was enabled in the
> FileMaker file? Can't you just disable that to prevent access using
> XML methods, password or not? Don't you only need the fmphp
> extended privilege for the PHP script (defined by you, not any
> external person) to get/create the allowed FileMaker data?
>
> -Troy
>
> Ed Ford wrote:
>
>
>> GGT: Are these logs automatically kept by the server, or is this
>> something you've developed?
>>
>> Gary:
>>
>> As standard practice, I now create 2 web accounts for all
>> applications: one that is read only, and another that is R/W. For
>> each of these, I limit their access only to the fields absolutely
>> necessary for the PHP part of the app. On the R/W account, I
>> turn off
>> delete unless that's a needed privilege for the application.
>>
>> I always use a strong password because someone can try and
>> attack your
>> database without access to the PHP files if they try different
>> passwords using a well-formed URL. Try turning on the DEBUG
>> privilege
>> in an FX page: you'll see a URL output to the top of your page that
>> looks something like:
>>
>> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/
>> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>>
>> Using the right URL in a form like that above, you can view the XML
>> dump of a record set. Modify that URL in the right way, and you can
>> edit, create, delete records -- the commands aren't hard to find with
>> Google.
>>
>> Moral of the story: Security is paramount, be more secure than you
>> think you need to be. Use a good password and well thought out
>> security privileges in FileMaker to ensure you don't get any nasty
>> surprises! :-)
>>
>> --Ed
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070129/b0dba338/attachment.html
More information about the FX.php_List
mailing list