[FX.php List] Newbie PHP Question about direct link request to DB

Jonathan Schwartz jschwartz at exit445.com
Mon Mar 22 09:15:40 MDT 2010

Nicely said, Michael.

For the benefit of Newbies everywhere, here is 
some more background on the options:

As you have appreciated, it is a good idea to 
hide the recid, which is sequential in 
FileMaker's realm. Of course, in the case of a 
using a form, "hidden" is only skin deep. It can 
be viewed by revealing page source.   An 
unauthorized edit requires only the ability to 
count.  Not good.

Personally, I have settled on the following technique:
	1) Upon initial record creation, create a 
long random (unique) character string that serves 
to identify that record to the outside world. I 
use 20 digits, upper and lower alpha, set by a 
Custom Function.
	2) Use this string freely in either GET 
or POST methods.  Since it is very long and 
random, it can not (easily) be spoofed.
	3) Upon initial CWP access of the target 
record in question, set the recid into a Session 
variable (not viewable publicly) and use the 
recid later, or
	4) Perform 2 requests at edit time, one 
to request the recid and second to perform the 

Since I use sessions, #3 is my choice.  However, 
while it may seem cumbersome, #4 is not a bad 
choice for the right environments.

Hope that helps.


At 10:30 PM +1100 3/22/10, Head Honcho wrote:
>Hi Lars (I assume),
>The recid that you are passing as a $_GET is 
>FileMaker's internal recordID.  This is set by 
>FileMaker and can't be changed.
>So, if you're trying to obsfucate using a 
>calculation, you'll need to "unwrap" the calc 
>before passing the true recid.
>Otherwise, change your requests to $_POST's 
>which will be "hidden" from the user.
>Hope this helps, somewhat.
>Michael Ward
>Head Honcho
>CustoMike Solutions
>Member, FileMaker Business Alliance
>Member, FileMaker Technical Network
>FileMaker 7 Certified Developer
>FileMaker 8 Certified Developer
>FileMaker 9 Certified Developer
>FileMaker 10 Certified Developer
>10 Wandoo Crt
>Wheelers Hill, 3150
>ph 0414 562 501
>headhoncho at customikesolutions.com
>On 22/03/2010, at 9:53 PM, Lars Arlér wrote:
>>  Hi all and thanks in advance..
>>  Have a little problem with my http request to my DB
>>  And my objective is to blur the link, so that everybody can't figure out the
>>  next record link
>>  "http://xx.xx.xx.xx/browserecord.php?-action=browse&-recid=189"   works ok
>>  "http://xx.xx.xx.xx/browserecord.php?-action=browse&-recid_calc=189200011893
>>  59742000120001"    return false/error
>>  Both recid and recid_calc are totally identical in db field "type & option".
>>  I think that I found the problem in my script, but isn't that strong in PHP
>>  to figure this one out alone......
>>  --------------------------- ZIP ZIP ZIP ---------------------------------
>>  case "browse" :   
>>  default :         
>>   {                
>>      $recid = $cgi->get('-recid');
>>      if (!isset ($recid))
>>      $recid = 1;   
>>      $record = $fm->getRecordById($layoutName, $recid);
>>  ExitOnError($record);
>>      break;        
>>  }
>>  --------------------------- ZIP ZIP ZIP ---------------------------------
>>  1. So what does this little script do ??
>>  2. And how can I make it accept the "recid_calc" ??
>>  3. Or accept any other valid field name ??
>>  thanks in advance..
>>  ______________________________________________________
>>  Graphics-& Web design
>>  Lars Arlér        
>>  cell: +45 2814 0010
>>  La at mediadesign.dk 
>>  _______________________________________________
>>  FX.php_List mailing list
>>  FX.php_List at mail.iviking.org
>>  http://www.iviking.org/mailman/listinfo/fx.php_list
>FX.php_List mailing list
>FX.php_List at mail.iviking.org

Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com

More information about the FX.php_List mailing list