[FX.php List] The web password in FX

Troy Meyers tcmeyers at troymeyers.com
Mon Jan 29 09:37:23 MST 2007


Ed,

You are right, I see now that the 'fmphp' extended privilege is for the FileMaker PHP API. Sorry,  guess I'm trying to absorb too much new knowledge at once. Is there an equivalent privilege for FX.php? Does the 'fmxml' privilege need to be enabled for FX.php to work, or will disabling it eliminate the XML security risk but still allow my local PHP files to control what data and actions are available to a web user (good or bad)?

Thanks for the answer.

-Troy


Ed Ford wrote:

> My understanding based on the FileMaker documentation is that if a  
> privilege set is turned off, then the data in the database is  
> unavailable through that method -- so turning off fmxml would indeed  
> prevent XML access through a URL like I specified.
> 
> However, I'm not sure what you mean by the 'fmphp' extended  
> privilege, because I'm not aware of such a privilege, unless this is  
> something new with FileMaker's new public API for PHP, which I have  
> not tried.
> 
> --Ed
> 
> -----------------------------------
> 
On Jan 28, 2007, at 6:48 PM, Troy Meyers wrote:

> Ed,
>
> I'm new to all this, having recently come from the FileMaker 6 and  
> CDML world, and this is confusing to me. From the studying I've  
> been doing, it seemed like a bad guy wouldn't be able to get  
> malicious access using the-- http:// 
> WebUserAccount:Password at filemaker.server.com:80/fmi/xml/ 
> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName  --sort of  
> method unless the fmxml extended privilege was enabled in the  
> FileMaker file? Can't you just disable that to prevent access using  
> XML methods, password or not? Don't you only need the fmphp  
> extended privilege for the PHP script (defined by you, not any  
> external person) to get/create the allowed FileMaker data?
>
> -Troy
>
> Ed Ford wrote:
>
>
>> GGT: Are these logs automatically kept by the server, or is this
>> something you've developed?
>>
>> Gary:
>>
>> As standard practice, I now create 2 web accounts for all
>> applications: one that is read only, and another that is R/W.  For
>> each of these, I limit their access only to the fields absolutely
>> necessary for the PHP part of the app.  On the R/W account, I  
>> turn   off
>> delete unless that's a needed privilege for the application.
>>
>> I always use a strong password because someone can try and  
>> attack   your
>> database without access to the PHP files if they try different
>> passwords using a well-formed URL.  Try turning on the DEBUG    
>> privilege
>> in an FX page: you'll see a URL output to the top of your   page that
>> looks something like:
>>
>> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/
>> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>>
>> Using the right URL in a form like that above, you can view the XML
>> dump of a record set.  Modify that URL in the right way, and you can
>> edit, create, delete records -- the commands aren't hard to find with
>> Google.
>>
>> Moral of the story: Security is paramount, be more secure than you
>> think you need to be. Use a good password and well thought out
>> security privileges in FileMaker to ensure you don't get any nasty
>> surprises!  :-)
>>
>> --Ed



More information about the FX.php_List mailing list