[FX.php List] [OFF] Filemaker Web Security?

Thu Sep 4 18:24:30 MDT 2008

Hi Joel,

I'd be very surprised if FM was susceptible to any form of SQL injection
attack. However, PHP code for form processing can still be vulnerable,
especially email scripts.

On 5/09/08 10:06 AM, "Joel Shapiro" <jsfmp at earthlink.net> wrote:

> Hi again
> 
> This is how the client replied when I asked for more info:
> "I keep hearing about "sql injection attacks" being used to
> compromise web pages. So I was wondering if Filemaker had a
> notification service about updates and / or security issues. It may
> be that Filemaker is "flying under the radar" when it comes to
> malware writers and there is little reason for concern. Given the
> security of the Internet nowadays I would rather be safe than sorry."
> 
> It seems that FMI does *not* provide (decipherable) security update
> notifications, so I can pass that along to the client.
> 
> Investigating "SQL injection attacks" (e.g. <http://www.sitepoint.com/
> print/sql-injection-attacks-safe/> ), I'm reminded of Jonathan
> Stark's DevCon presentation in which he urged (numerous times) that
> we Filter All Data, incl. the use of htmlentities() & strip_tags()...
> 
> Do people here do that on *all* submittable fields?   For all FMFind,
> FMEdit & FMNew?  Is there some guideline as to when that's more or
> less important?  Are there other functions you like to use for this?
> 
> Also:
> 
> 1) Is a site vulnerable to this type attack when using FileMaker
> security for logins (internal or Ext Auth w/ AD OD)?  (My guess is
> "no" since these aren't fields in a web-accessible database...)
> 
> 2) When using records w/ username & password fields for logins, would
> using the format:
>     $login->AddDBParam('UserID','=="'.$_POST['user_name'].'"');
> be safe enough to avoid these types of attacks, since FM can't
> process additional code like SQL seemingly can
> (e.g. the submission of: ' or 1=1 -- ) ?
> 
> 3) Are there any such risks within FMEdit calls?  Does it matter
> whether fields are submitted via radio buttons?
> 
> 4) The above URL cautions against SQL procedures such as xp_cmdshell
> and xp_grantlogin.  Do FileMaker or FX.php (or the API) have any such
> dangerous code?
> 
> 5) Realistically, if a site is hosted locally, has an SSL cert, and
> has no links from any external pages, is there much risk of it being
> found and thusly hacked?
> 
> Thanks,
> -Joel
> 

-- 
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.melb.catholic.edu.au/

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal
#####################################################################################

This e-mail and any attachments may be confidential. You must not disclose or use the information in this e-mail if you are not the intended recipient. If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies. The College does not guarantee that this e-mail is virus or error free.  The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not. The content and opinions in this e-mail are not necessarily those of the College.