[FX.php List] [OFF] Filemaker Web Security?
Joel Shapiro
jsfmp at earthlink.net
Sat Sep 6 12:55:38 MDT 2008
hmm... Can you say any more about that?
Is XML-RPC installed by default in PHP? It looks like it might need
to be installed separately.
Also, one site I looked at said the vulnerability through XML-RPC was
still SQL injection attacks... so if there's no SQL in a FM/PHP
solution, what's the risk?
-Joel
On Sep 6, 2008, at 12:04 AM, Gjermund Gusland Thorsen wrote:
> It's is simple to avoid "FileMaker XML RPC injections" you make sure
> WPE and web server is on 2 different machines, and you block access to
> WPE from the outside world, but open for the web server.
>
> ggt
>
> 2008/9/6 Dale Bengston <dbengston at tds.net>:
>> Yes. Besides the malicious use of "sql injections" and such,
>> people copy
>> text from word files, emails, and just about everywhere else and
>> paste it in
>> your input fields. (This is a good thing - people shouldn't have to
>> re-type.) If they have curly quotes, or other high-ascii stuff,
>> and their
>> document uses different encoding than your site, weird things can
>> result.
>> Better to catch it and wash the data before it hits your tables.
>>
>> Dale
>>
>> On Sep 5, 2008, at 2:21 PM, Joel Shapiro wrote:
>>
>>> As to my question "Do people here do that on *all* submittable
>>> fields?...", the "that" I'd meant was filtering the fields in PHP
>>> before
>>> submission to FM, e.g. using htmlentities(), strip_tags(), etc.
>>> Do people
>>> do *that* on all submittable fields?
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list