Blogs

Featured Entries

  • Josh Ormond

    A Conversation About '2 Factor Authentication'

    By Josh Ormond

    [ Edit: 3/16/2016 - With the help of some other people, we have been able to recover, or recreate some of the original images from original thread. ] Security is always a big topic when it involves data, or people, or possessions. Recently, over on the FileMaker Community, there was a very beneficial discussion regarding security. Unfortunately, that discussion was the victim of a necessary action...and was deleted. It was deleted, because the discussion was tied to a video that, as was determined throughout the thread, was not beneficial to the overall community of FileMaker users and developers. When that video was removed, the discussion vanished with it. This post is specifically targeted at recompiling that discussion, because at it's core represents an important message that is necessary to convey and support. That is, creating ersatz security systems can introduce security vulnerabilities. In my experience, I have only seen 1 (one) approach that increased security while adding a 2nd factor of authentication. And it was complicated and not easily set up...and in the end, comes with it's own set of drawbacks. One of the main things I took from the below discussion ( and it's a long discussion!! ), is this: What is the point of attempting to add a layer of security that does NOT increase security?! If the approach does not INCREASE security, why would you market the approach as a security technique?! The answer to that is the reason why the video that launched the discussion was deleted. While I had much internal debate about the best way to republish the info from this discussion, in the end I decided ( with much input from others ), that just posting the discussion in it's entirety was the best thing. And in doing so, know I have, as do those that gave their input, nothing but respect for all those involved in the discussion. So that is what follows. One very important note: the discussion is one of learning. And I truly believe that no one involved in the discussion came out looking 'bad'. One could say, 'well yeah Josh, you didn't end up being wrong in the thread, so you don't care'. I assure you, I have been wrong in MANY discussions. In fact, I had a similar discussion with Wim Decorte in another thread several months before this one. As I researched, and tested...I learned not only was I wrong, I learned I NEEDED to change something in my development. Without any further introduction, here is the thread: Original Discussion Thread from Community.FileMaker.com, a Video with an interview with well-respected developer Taylor Sharpe: ================================================================= Date: August 12, 2015 at 5:42 PM ( Date of Original Video Post )
    Title: Free Video>>> Two-Factor Authentication w/ Taylor Sharp ================================================================= November 27, 2015 at 8:20 PM by Taylor Sharpe Thank you for your interest in this video. It is an additional tool to the suite of FileMaker Security tools to help improve security. This video shows you how to enhance an already implemented security plan to make it even better by adding hardware verification. This tool has minimal impact on staff and uses tools currently available in FileMaker 14. This video shows how to use hardware verification as the 2nd factor authentication similar to how Google and Apple currently implement it. This tool makes use of the current security standard of verifying hardware with Persistent ID as well as FileMaker tools including a start up script and email or text messaging notifications.  Additional advice: In conjunction with two factor authentication, you should make sure you already are following the FileMaker security guidelines. Security is one of the cornerstones of a good solution and you should make use of least privileges necessary for users, appropriate password guidelines, consideration of external authentication services such as Active Directory and Open Directory, client-server SSL encryption with 3rd party authentication, Encryption at Rest, backups (yes, that too is a part of security), and physical security.  Caution: This 2nd factor authentication is only designed to work in conjunction with the other FileMaker security tools to enhance security and you should not rely solely on this as a single factor of authentication because it is only a hardware verification. Security is a constantly changing field. If you follow FileMaker’s Security Guidelines, you will have a robust and secure server. Additional security tools like this should be considered, as well as documentation of security controls in a security plan. There are additional tools available such as token passing, plugins with higher level encryption, biometrics, etc., that go beyond what is included with FileMaker that may have merit. At a minimum, you should evaluate your server’s security with some type of review or audit on an annual basis. I wish you all the best and encourage you to make sure an appropriate amount of time is allocated to security when you are developing your solutions. DEMO FILE: Can be found at <sample file> ( link removed ). It is UU encoded, but ready to go with full access for Admin user account and no password. Feel free to make use of the sample file to copy scripts or layouts as you may need. Appropriate credit would be appreciated. Thanks. ================================================================= November 28, 2015 at 7:50 AM by Wim Decorte To be very clear: it is NOT true 2-factor authentication since it relies on the user already been authenticated and allowed into the solution before the 2nd factor comes into play... ================================================================= November 28, 2015 at 2:16 PM by Taylor Sharpe It might be a bit of splitting hairs, but not inaccurate. You are in FileMaker in-so-much as you are logged in and being processed by a start up script for further validation. But a regular user can't escape the script. The way to meet Wim's definition of Two Factor authentication is to have some other program perform that two factor authentication prior to FileMaker's credentials or FileMaker add this security feature and it reside outside of FileMaker scripting and before getting logged in (boy that would be nice, FileMaker, Inc.!). The assumption I was working with is that people are limited to FileMaker tools and you cannot avail yourself of those tools without being inside of a FileMaker solution to run the 2nd factor script. This means things like turning auto abort off. And it is a security improvement over single factor authentication, but it is not invulnerable. For example, someone with Full Access will be able to enable the script debugger and this is a reason to be very limited on who has Full Access and make sure those passwords are strong. Tim Dietrich's FM Authenticator and others have done similar Two Factor authentications with FileMaker, but they all use a startup script like this one and are therefore subject to the vulnerability Wim points out. Just keep in mind that this can be an improvement to security assuming you have fully implemented the FileMaker security guidelines already and this is an ADDITIONAL tool, not an exclusive one. For example, it would be a bad idea to use this 2nd Factor authentication and tell people that they only have to use User ID's, but no passwords. Thank you for the comment Wim. It is good that we all understand how security works and where its weak points are. ================================================================= November 28, 2015 at 6:28 PM by Wim Decorte I don't think it is splitting hairs; it's about calling things what they are. We certainly don't want people going around saying that FM does support 2FA when it does not. I'd hate to be part of a security audit where someone proclaimed that FM does 2FA based on this or a similar approach... As to the level of security: while a user can not escape out of a script by simply pressing ESC, there are ways to stop scripts so relying on a scripted security system does not usually enhance security but rather introduces potential vulnerabilities. ================================================================= November 29, 2015 at 2:47 AM by Taylor Sharpe <Post deleted by Taylor Sharpe> ================================================================= November 29, 2015 at 7:38 AM by Wim Decorte Very disappointed in this reaction. Since when is a difference in opinion "inappropriate and unprofessional"? And I do not appreciate the insinuation that I am not a professional or worthy of working for Soliant Consulting, nowhere in my replies did I ever attack your integrity or the company you work for. If 2FA is a requirement then I would suggest using technologies that do have full & native 2FA: like logging into the OS through 2FA and then use EA for access to the FM application. I do withdraw from this conversation, not because I'm being told to by you, but because once a respectful debate over differing opinions is not welcome, then I do have nothing further to contribute. ================================================================= November 29, 2015 at 7:12 PM by Josh Ormond I am very surprised at this response, having seen the response before it was deleted. The problem that Wim is pointing out is a real issue. We can call something 2FA, but if the person is IN the file after the first factor, for compliance reasons and technical reasons, it really is not 2 Factor Authentication. Because the 1st factor allowed them in, and you can't from there stop them from accessing the file. Simply put, one can easily stop the script from running and add their device as an approved device and access everything in the file. I don't see how that is increasing the security of the file. It only gives a false sense of security. Which leads to larger problems. This file, having never seen it before, took me no more than 15 secs to authorize myself to access the file from any device I want, using nothing more than the tools provided in the file. I only need one-factor to get in now...anytime I login. If one where to promote their solution as a compliant solution using 2FA, they could be opening themselves to hefty fines. As Wim said, if 2FA is required, you need something that prevents you from getting into the file with 2 factors. Though I do like Tony White's response to this discussion in another place: Maybe we should call it "1+1 Factor Authentication". ================================================================= November 29, 2015 at 7:58 PM by Tony White Thanks Joshua Ormond for the shout out. Here is the twitter perma-link to the thread. https://twitter.com/tonywhitelive/status/670721676464779264 I implement security that uses the built in tools and at the same time am open minded to creative ways of adding to security...as long as they successfully address defined use cases. Know the rules and know when you can extend them... On a separate thread I proposed the idea of a security contest with a monetary price. https://community.filemaker.com/message/517290#517290 Interesting topic. Lots of considerations to factor in when coming up with best practices. ================================================================= November 29, 2015 at 8:22 PM by Taylor Sharpe Joshua, I deleted my own response and not FileMaker because I was offended by Wim and the way I worded the response was not professional. My bad and apologies to Wim. I think there can still be a good discussion. Two Factor means that two methods are being used for authentication. Providing additional requirements on what makes another factor a real factor or not does not make it not another Factor even if it is not as robust as other possibilities. Wim does bring up a point about why it is not as robust as other 2nd factor authentication implementations because the 2nd factor is done within the solution and not before you are in the solution. The solution I provide in the video uses the tools available from FileMaker. Within the constraints that FileMaker scripting tools provide us, it is a good security control. That is not to say going outside of FileMaker's tools or asking FileMaker to build a second factor authentication into the application would not be better, but those are not tools readily available to most of the users here. The solution provided improves security and it is a second factor of authenticating even though Wim correctly points out the 2nd factor is done within the solution. The point I am making is that implementing this 2nd factor authentication, even with its limitations, is better than not implementing it. There are a lot of OS level two factor authentication solutions including not only User ID/password, but tokens, or VPNs that would be required before you would have access to the FileMaker solution. They may be worth some discussion here too. But those are beyond what is trying to be addressed in this type of solution. ================================================================= November 29, 2015 at 9:40 PM by Josh Ormond I get the attempt. The concern I have with it is, it required only 1 factor for me to be in the solution and using it. If I didn't provide an email, it let me use the file anyway. Without ever requiring factor 2. In Tim's solution for what he also called 2FA, at least the user was left in a low-level account. But even with that, I could edit and hack the file to pieces. Simply because I could get in. Authentication itself is the process of deciding if someone has authorization for access. Two factor authentication is at it's core really supposed to happen before the person gets in the file. FileMaker doesn't provide a second access control for logging in. Though I do wish they did. It should be a feature request. For reasons exactly like this, the data is at risk once the person is in the file. Even worse, for something that is script driven, I can stop the script from running and there is no trace that I even logged into the file. I'm not hear to add fuel to an argument. Simply to voice a warning that for even a fairly new user, the approach can be easily circumvented...and when it comes to compliance, users/owners/database admins, need to know that. I would hate to see someone get hit with fines because they assumed an add-on security method was "safe". For compliance, there are other ways to secure the file and the data. Security 'add-ons' typically don't add any security. Just another layer of steps to get in. I say this simply because I have see too many solutions that owners thought were 'safe'...to which I was in reading them sensitive data while they were still explaining how to login the 'right way'. And I'm glad to hear why you deleted the post. Both yourself and Wim are worthy of greater respect. ================================================================= November 29, 2015 at 11:00 PM by Taylor Sharpe Josh... I gave you a file with Admin and no password. This is a completely OPEN Admin with Full Access and no password. Of course you got in. You would not have gotten in with one where it automatically logged you in with Admin and Full Access. So you would not have gotten past the first factor, let alone the 2nd. This database was left open as a development tool. Hacking it is as simple as opening it up because it defaults to the Admin with no password. You did not hack into it and your comments to this effect are not helpful to people reading this discussion. It implies you have some ability to defeat this solution when properly implemented and you have not provided any information to show that you have those skills, making me doubt that you can. But I will be glad to provide you a hosted solution properly implemented and be glad to give you a shot at it. OK, that aside, Tim's solution did get you in with a low level User Account instead of whatever account you are in. The reason I went the way I did was because this is supposed to make things easy on staff instead of dealing with multiple logins and multiple passwords. The goal was to improve security while making it easier on the staff. This solution adds significant security with very minimal impact on staff. No it is not a perfect solution, and no control in a database ever is and you are should have many controls in a secure system. Most security plans identify hundreds of controls in every solution. You have to have multiple layers of control from least privileges to encryption. This 2nd Factor is NOT a sole security tool. It is used to enhance security with minimal impact and be easy to implement with the tools FileMaker provides. This control as a 2nd Factor authentication is not perfect and is designed to work in coordination with other security controls. If you know about security plans, you know that most controls have some weaknesses. But you do not dismiss a control that is generally effective because where one control may not stop an intruder, another one will and it is the combined effectiveness of controls that makes the security. Removal of an imperfect control can weaken a security plan and removal of controls has to evaluate whether their imperfection is beneficial compared to not being there at all. I still stand behind this being a simple solution that enhances security with minimal effort and using tools already provided by FileMaker. I challenge that those of you dismissing such a simple control that benefits security are lacking in good security judgement unless you are providing some improved alternative. ================================================================= November 29, 2015 at 11:19 PM by Josh Ormond I am not dismissing it completely. If some choose to use it, that is part of their own risk assessment. I do challenge the name. Primarily because I can prevent the 2nd factor from ever firing, very very easily. I am aware of how you set up the file, and it's intent. I will assure you my test was thorough. I have tested several of these types of security measure. In some cases businesses decided to continue to use it. It was simply a user "trust" mechanism. In the meantime, we secured the file by other means. Some left it as is. Some abandoned it completely. That would be the owner's decision to make. I will also step of of the conversation. I think there is just a core difference in the thought about what increasing security means. Which is at the heart of the matter. I hope for the best for you. ================================================================= November 30, 2015 at 8:50 AM by Wim Decorte Taylor Sharpe wrote: “I challenge that those of you dismissing such a simple control that benefits security are lacking in good security judgement unless you are providing some improved alternative.” An improved alternative was already mentioned earlier: do the multi-factor authentication upstream from FileMaker. These security implementations are never done in a vacuum and all angles should be considered, not just how the behaviour can be mimicked in FM. The first thing to be open about with the customer is that FM does not do native multi-form authentication. So the alternatives are: - discuss with the client how 2FA can be done before the solution gets launched and how it can be combined with things like External Authentication for the FM solution. This keeps all authentication strictly at the FM security level and does not add any vulnerabilities. - discuss the security risks of the FM scripted approaches to mimic 2FA and if those are acceptable given the risk appetite of the client and the compliance requirements. If neither are acceptable to the client then FM is probably not the right platform for the solution. ================================================================= November 30, 2015 at 9:38 AM by Taylor Sharpe Josh, I don't think really do understand. But I am more than willing to eat crow if I have misspoken and certainly willing to learn. So I have hosted the file on my development server at <link removed>. Please let me know when you are able to get in and how you did it. Thank you, Wim. I concur with you that an "upstream" approach can be a good one to implement two factor authentication. And most everyone has some type of upstream security even if it is as basic as a User ID and password to get into a computer, but many companies do a lot more such as some form of 2 factor authentication, VPN connection, tokens, etc. I also agree with you Wim, that FM does not have native multi-form authentication at the application level. But that is something us developers can't control, and something I would encourage FileMaker Inc. to consider in future versions. It would be a nice security improvement tool. However, within the tool set available to FM development, the 2 Factor authentication described above works and improves security, and will have a smaller hurdle to implement than most of the suggestions you have made. My goal was to keep things simple with the tools available inside of FM to improve security, and I have met that challenge within those criteria. ================================================================= November 30, 2015 at 9:41 AM by David Zachary I’ve been watching this thread with interest and a degree of amusement. My post may not have any substantive benefit to the thread, but it makes me feel good. It reminds me of when Bill Clinton was going through his impeachment hearings. During an interview he was asked "was it sex?" and straight faced he replied "it all depends on what your definition of 'is' is". This thread has gotten to that point - what is the definition of 2FA? Clearly there are different opinions. Having both parts of a 2FA system inside of a FileMaker solution, while technically 2 factors, is like having an alarm system on your house to compliment the door lock. You feel secure but somebody fast enough with enough skill can still break in and grab something valuable quickly. You've got 2 security measures but still got robbed. The better solution is to have an electrified fence and a moat around your house - everything of value is protected by measures not directly connected to the house. FileMaker security should be the final line of defense, not the first and not the only. Calling a system that has both factors inside of the target database as supporting 2FA is dodgy unless all parties are using the same definition of what 2FA is - while you say its 2FA, any client that has to follow government or corporate-defined 2FA specifications will likely disagree. I'm not going to repeat what others have said (too much), but FileMaker does not natively support a 2FA system. You have to do it elsewhere. If your data requires that level of security, you need to look at supplementing the security infrastructure outside of FileMaker, long before an intruder gets to the FileMaker-level. Thankfully Stephen Blackwell isn't on here much anymore. He would have probably had a stroke by now. His views on custom-developed security methods are well documented. Back to watching from the sidelines. ================================================================= November 30, 2015 at 10:09 AM by Josh Ormond I understand both the intent of what you are arguing for, and have in the past felt the same way. However, I think you misunderstand me. FileMaker's own built-in security is in itself the strongest security you can get with FileMaker. By turning on EAR, securing the physical server, setting up proper privilege sets and users, and limiting the ability to edit/create/delete privilege sets, and by using Extended Privileges, and in many cases using EA...you are secure and safe with your data. With that, without the user name and password, one can NOT get into a hosted file remotely. That is one of the great parts of FM security. And you know that part as well. What I am saying...the average user can stop your second factor, very easily...so it does not enhance the security. I have seen so many poorly implemented security add-ons in FM. Because the developer or user was trying to imitate another security functionality. It looked like they were enforcing 2FA...but in reality not even one of the users actually ever completed the 2nd factor. In essence, it feels like putting a second deadbolt on your door, but putting the lock handle ( normally inside ) on the OUTSIDE. It doesn't do anything, other than give some more strength to the door...so someone would have a more difficult time kicking in the door. But if someone already has the key for the other deadbolt...they simply spin the lock handle and walk in. Zero added security. In this case I need to nothing other than stop the script from running. So with a log in, I can log in from ANY device. Not to mention there are serious problems with Get ( PersistentID ) on Windows, so it's simply not reliable. ================================================================= November 30, 2015 at 10:19 AM by Taylor Sharpe OK, Josh, this moves us forward some and thanks for the comments. How about this, what if I put a non-Full Access User account in that File. Are you able to defeat the 2nd factor? For example, I just added a "Josh" account with no password and it is set for the privilege set "Data Entry Only", but has no authorized devices. Also, I'm interested in learning more about the problems with Get ( PersistentID ) on Windows. ================================================================= November 30, 2015 at 10:32 AM by David Jondreau “without the user name and password, one can NOT get into a hosted file remotely." That is the whole point of 2FA. You can put all the locks on the doors you want, but if your user leaves the key under the mat, your file is compromised. 2FA is not some miracle security feature. It simply is a philosophy that to improve security, users should have 2 of 3 different things: something they know (username/pass); something they have (a specific cell phone); and/or something they are (a fingerprint). Yes, the line between some of these categories is blurry, but the point isn't to get involved in a semantic debate of whether a fingerprint is something you are or something you have. The point is to improve security. I have not watched Taylor's video (I hate watching videos). But I have looked at the sample file, which in my opinion, doesn't do a great job at improving security since the only user account is full access. But it's a sample, for developers to look at, so it's not a real world scenario. And maybe there's more in the video. Regardless, the point is the file already requires a username and password. Taylor is *already* doing the minimum of requiring one factor (something you know). He is adding on an additional "factor" of a device. Is the implementation effective? I'm not sure, but I certainly don't see where the criticism of the underlying principle is coming from. ================================================================= November 30, 2015 at 10:46 AM by Josh Ormond 6 Months ago, I would have written the same thing you did. However, having seen a similar 2FA system implemented and relied on in a medical environment, unless there is something else involved does not meet some of the compliance standards. Penalty fees are typically based on the number records. I have seen customers get fees into the $10s of thousands of dollars as a result. That is the primary reason for the strong reaction. If a customer wants to use it, that's up to them. I'm not opposed to it, as long as the purpose is to simply increase security. The reference to leaving the key out is a user thing. I am referencing the developer actions. The user behavior is a separate issue from file security. ================================================================= November 30, 2015 at 10:49 AM by Josh Ormond With the current setup, the data-entry account can't even fire the startup script. So even with an authorized device, one could not get in. ================================================================= November 30, 2015 at 11:01 AM by Taylor Sharpe Oh, you are right, Josh. I didn't give the Data Entry fmapp extended privilege set. I have fixed that now. ================================================================= November 30, 2015 at 11:18 AM by Richard Carlton Very interesting. Taylor, ideally you wouldn't spray the table of secure data on screen... but I guess that makes the hack that much more interesting. LOL! I guess we have Taylor's 2nd authentication. So the challenge now is to stop the script and get access to the file... or otherwise spoof it with Taylor's info. Josh, if you know how to hack this... that would be alternately cool... and also scary to see. Its not immediately obvious to me how to stop the script engine. I am genuinely curious how you do this. I think for the point of the exercise... we should assume EAR is enabled... and so reading network traffic with a packet analyser won't work. - RC ================================================================= November 30, 2015 at 11:29 AM by Taylor Sharpe Richard, yes, I didn't mean to mess that up for Josh, but it is fixed now so the Josh account can get in and I did it to confirm it works. And, yes, EAR has been done, SSL 3rd party encryption is on, and using FileMaker Security (not AD/OD). Running on FMS 14.0.4 on a Mac OS X 10.11.1 Mac Pro Black Cylinder. ================================================================= November 30, 2015 at 11:41 AM by Richard Carlton Ok... well... let's make it fun. I'll put up $200 for anyone who can hack the file and get into it in a meaningful way. Read only access would be good enough... to be able to read another layout with data on it. To Win, you must be able to do a screen share to demonstrate how you hacked the file... and I get to interview the winner. Then you get the $200 USD. - RC ================================================================= November 30, 2015 at 12:40 PM by Josh Ormond Dangerous. You are going to owe me $200. Note, not only did I get in, I authorized myself for future log-ins, and altered other data. And if I wanted to be nasty, I can lock everyone out by hosing the PersistentID. Did you want to see the Device Access also? ================================================================= November 30, 2015 at 12:43 PM by Josh Ormond Here are the approved devices also. Note in both of these screen shots, the Persistent ID isn't not even the one from my machine..it still lets me in. ================================================================= November 30, 2015 at 12:53 PM by Wim Decorte Ha, you beat me by about 10 minutes. In case someone wants the data in excel... Information copy.xlsx ================================================================= November 30, 2015 at 1:31 PM by Taylor Sharpe OK, good job Josh and Wim, in breaking the 2nd factor. I guess this means you got around the Allow User Abort Off, which I am not sure how that is done. Would you like to share with us how you did that step? I just want to learn more about this and kudos to both of you. Lets just make this a learning thing. Thanks. ================================================================= November 30, 2015 at 1:41 PM by Wim Decorte Working on that. But at the risk of sounding unduly snotty: this kind of info needs to be part of bigger message that is being worked on; so "not yet". For now the focus point is on not trying to roll your own security using tables and scripts. Stick with the native FM features. Your first factor works like it should. ================================================================= November 30, 2015 at 1:43 PM by Richard Carlton Hi Josh, I wouldn't say $200 if I didn't mean it. LOL. Hell, I frequently give cash away to presentations to make sure people are not sleeping. :-) Please arrange to call me to discuss. - RC ================================================================= November 30, 2015 at 1:46 PM by Josh Ormond Will you be at DevCon next year? Maybe we can show you in person. Definitely not something I would post in a public forum. The main thing is that anything you allow me to do in the privilege set is the only thing that determines what I can and can not do. Scripts do not prevent anything. Obscurity does not prevent anything. ================================================================= November 30, 2015 at 1:48 PM by Taylor Sharpe wimdecorte wrote: “Working on that. But at the risk of sounding unduly snotty: this kind of info needs to be part of bigger message that is being worked on; so ‘not yet’.” Take your time... I just want to learn and make sure others are learning too. Your input is appreciated. ================================================================= November 30, 2015 at 1:50 PM by Richard Carlton Frankly...this is an excellent conversation. I like it... as it allows for valuable knowledge sharing. Just telling people "don't do it"... isn't always the best way. - RC ================================================================= November 30, 2015 at 2:03 PM by Josh Ormond This is a good, brief read. And also has a link to Stephen Blackwell's info on the FMPug site. http://fmforums.com/blogs/entry/830-an-exploit-based-approach-to-providing-filemaker-platform-security/ ================================================================= November 30, 2015 at 2:04 PM by Wim Decorte Richard Carlton wrote: “Just telling people ‘don't do it’… isn't always the best way.” Yep. The "why" has been covered many many times however. Steven Blackwell has talked about this at many devcons for instance. ================================================================= November 30, 2015 at 2:18 PM by Taylor Sharpe Yes, what was stumping me was I understood how Wim got in looking at tables. I didn't understand how Josh saw the actual layouts since he posted a picture of it. Anyway, I've changed the Security "File Access" to require full access privileges to use references to this file. So that would fix that vulnerability and it is a good point to remind people about before moving a database into production. And Wim reminds us that Mr. Blackwell shows us this technique at Devcon and he did this past summer too. It does make you wonder if that should start to become a default setting on new files. ================================================================= November 30, 2015 at 2:19 PM by Taylor Sharpe oh, when I reposted it with the fix, I removed Josh and created Wim with no password. ================================================================= November 30, 2015 at 2:25 PM by Richard Carlton Yah...that security setting needs to be more prominent. I remember people doing this in the FM 5 and 6 days. ================================================================= November 30, 2015 at 2:43 PM by Richard Carlton Cash Payment Made $200 to Josh!!! I always make good on our contests. ================================================================= November 30, 2015 at 3:33 PM by Wim Decorte Richard Carlton wrote: “Yah...that security setting needs to be more prominent. I remember people doing this in the FM 5 and 6 days.” Agreed. The whole security interface needs to become more intuitive and complete. Note that closing this particular hole does not make the scripted 2nd factor safe though I'm traveling this week so I won't have to play with this anymore until the end of the week. ================================================================= November 30, 2015 at 3:45 PM by David Jondreau I can think of at least 3 ways in. I'm not sure what Josh and Wim have been up to, but one was File Access. The second I'm still playing around with and it may be similar to Josh. The third is a much bigger deal. ================================================================= November 30, 2015 at 5:48 PM by Richard Carlton Yeah... the File Access Trust features should have been enabled. Thats low hanging fruit. The rest of these are more interesting. - RC ================================================================= November 30, 2015 at 6:15 PM by Matt Petrowsky What I've got to say is tangential to the immediate topic, but I've been wanting to say it for a while. I've been stewing on this whole "ersatz" security thing for quite a while. While I will fully agree with advising the general developer population about not creating their own login system, there are times and places where it's warranted. In particular, if you are wanting to use FileMaker as a development tool for end-user solutions where you really don't want to deal with FileMaker's account limitations. To that end. I'm posting a PDF I just created about the security model I use on systems where I DO create my own ersatz login system. Poke holes in it and tell me where you think it might fail. I think it's pretty robust - since it simply emulates the whole login system of most modern software. Please review and send feedback. I can start another thread, but I see that the people who are here now will see this and provide me with feedback. The biggest argument I have against the "FileMaker security only" proponents is that just because you can get into a FileMaker file does not mean you can do whatever you want within the file - especially, if you know how to limit the risk exposure. I make the analogy that if I can go to your web site and see some stuff then it's no different than opening a FileMaker file and being able to see some stuff. Moving from one level of access to another always boils down to one line of code somewhere. I look at FileMaker the same way. I can let you into my file, but I won't let you do or see anything I don't want you to. Check out the attached PDF and tell me what you think. https://dl.dropboxusercontent.com/u/1211710/Secure%20FileMaker%20Login%202015-11-30.pdf ================================================================= November 30, 2015 at 6:46 PM by Taylor Sharpe Good read, Matt. I've just been through it once and it seems very thorough. I'll have to chew on it a bit to see if I can think of other things. While sticking with FileMaker security is the safest and easiest, I know there are some times when we need something different. While this seems very foreign to FM, it actually is rather common in SQL engines to have stored User ID's and hashed passwords and maintain privilege sets, etc. One real benefit of FileMaker is how strong and simple their built in security is integrated into a solution and how much harder it is to do in other systems where security isn't built in. Thanks for the PDF, Matt, and I'll be doing some more reading on it. ================================================================= November 30, 2015 at 8:46 PM by Josh Ormond Lots of good stuff there Matt. There are probably a few ( very few ) developers in the community that I think could execute something that is very secure. But I have only ever seen 1 such system as of yet, and it was way outside of normal thought. And unfortunately, from a developer that is not longer active anywhere and their email is defunct. When I had seen the file 6 years ago or so, I was too much of a newbie to know exactly what I was looking at. The issue, even for the best of developers, that I see is...in 6 months, you have changed your approach for things slightly. It requires a complete rework ( or reminder ) of your security settings to ensure you don't open a hole. With any restriction that is imposed via script, it can be completely circumvented and data viewed/stored outside of the database. It's clearly something that is on the mind of any developer of any platform. But all one needs is the privilege set to allow the user to view data. I definitely see a great need for a more robust security scheme. I would like to see native 2FA in FileMaker. That is at the top of my list. Outside of that, FM security and Extended Privileges, and External Authentication have served me for almost everything I've needed. ================================================================= November 30, 2015 at 9:57 PM by Wim Decorte Matt Petrowsky wrote: “The biggest argument I have against the "FileMaker security only" proponents is that just because you can get into a FileMaker file does not mean you can do whatever you want within the file - especially, if you know how to limit the risk exposure.” Hi Matt, In that "knowing" lies the conundrum, right? To loosely quote Mark Twain: "It is not what you don't know that hurts you, it is what you know that isn't so". I think the overall discussion would be much easier if more people acknowledge that scripting your own security solution introduces more risk potential, not less. Risk can be mitigated but it relies on a very solid understanding of the behaviour of FM on all levels, not just the security level. Every new and changed FM feature behaviour bears the risk of blasting a hole in the ersatz model. That acknowledgment is what I do not find enough in these discussions. There is a long-standing myth that pretty much any ersatz security model is just as secure or even more secure than the native security features. And that is simply not so. As this thread has proven. I am on the road right now so I have not had a chance to review your document. Will do so and then return to this thread. ================================================================= November 30, 2015 at 11:04 PM by David Jondreau I have some warnings to give, but am not going to post publicly. I'm trying to send a private message, but it's not going through. I'll try again after posting this... Taylor, you've made some changes to the server since this afternoon. That's the first step. To answer the original challenge: The easiest answer is simply to use ExecuteSQL() in the data viewer. Using one statement to grab the table schema, and another to grab all the values. Even with the custom dialog, the data will show up on hover. https://community.filemaker.com/servlet/JiveServlet/downloadImage/105-9612- 19278/Screen+Shot+2015-11-30+at+1.51.48+PM.png <image lost> ================================================================= November 30, 2015 at 11:59 PM by Matt Petrowsky Wim Decorte said: “if more people acknowledge that scripting your own security solution introduces more risk potential, not less. Risk can be mitigated but it relies on a very solid understanding of the behaviour of FM on all levels, not just the security level. Every new and changed FM feature behaviour bears the risk of blasting a hole in the ersatz model.” Exactly my point in providing the information I did in the PDF link. I look forward to your feedback on it! ================================================================= December 1, 2015 at 12:23 AM by Taylor Sharpe David Jondreau wrote: “Taylor, you've made some changes to the server since this afternoon. That's the first step.” To answer the original challenge: The easiest answer is simply to use ExecuteSQL() in the data viewer. Using one statement to grab the table schema, and another to grab all the values. Even with the custom dialog, the data will show up on hover. https://community.filemaker.com/servlet/JiveServlet/downloadImage/105-9602- 19267/Screen+Shot+2015-11-30+at+1.51.48+PM.png <image lost> The only change I made was with the easy way you can use a TO in another solution to see data in the original solution if you have the same User ID/password and that had already been provided. So all we did was change the File Access security so you can't add a table from another solution without Full Access. David... good example of how ExecuteSQL can be used to view things in the data viewer and it does give you access to schema. That lets you read data, but doesn't let you change it and not sure how this would be used to stop the Persistent ID verification. But clearly that is something that in the security world you don't want done. I guess this is why Tim Dietrich's system had an intermediary user ID log in for the Persistent ID verification and that User ID had very limited table access and only to verify the Persistent ID and connect with a User and their Email. You would be in the solution as Wim notes, but not at your normal User ID access level. And upon verification, have a re-login with your normal User credentials. And that would be a better solution. Thanks for the thoughtful input. ================================================================= December 1, 2015 at 1:03 AM by David Jondreau Hmmm...You've made other changes to your server. Not to that file per se...but I'll save that for a private message. Point is I can see all the data that user has access to. I can't change it. But I can easily view any data. And that took less than a minute. There are other points about how to change data that I'll put in a private message as well. ================================================================= December 1, 2015 at 2:51 AM by David Jondreau And here's my entry... ================================================================= December 1, 2015 at 9:06 AM by Taylor Sharpe Impressive David to see the Persistent ID script hack. I'm more interested in this hack than the File Access one since I already knew about it. But you got through with File Access turned off. Kudos. ================================================================= December 1, 2015 at 9:12 AM by Josh Ormond Any time the privilege set allows the user to be able to edit the data, any of the external APIs will allow the user to edit the data. Even with this item fixed, the user can still view the data and extract it. The strongest security in FM is FM's own privilege sets. As the conversation with Matt and Wim brings out, there are ways to MOSTLY secure the file. However, one needs to be aware of the risk and then decided through a risk assessment if it's worth it to take on that risk by using an ersatz model. It's difficult to claim that an ersatz model "increases" security. Because there are too many variables in a solution to claim that. If it's a workflow you want to include, that's one thing. Touting it as a security model, well, that makes me uneasy. ================================================================= December 1, 2015 at 5:26 PM by Taylor Sharpe +1 Josh ================================================================= December 4, 2015 at 12:18 AM by Josh Ormond I read a very funny post today. Truth, but funny. http://fmforums.com/topic/98626-password-to-continue-script/#comment-448504 Here is the part of the post that touched me funny. Kris M wrote: “Implementing a security feature using scripts and stored credentials is problematic. Its like whack-a-mole to cover all the potential threat vectors.”
    • 1 comment
    • 804 views
  • Steven H. Blackwell

    Hacking Your Own FileMaker Platform Solutions

    By Steven H. Blackwell

    Hacking Your Own FileMaker Platform Solutions Should FileMaker Platform developers mount hacking attacks on their own solutions? At first glance, this may seem an odd question. But I believe that the answer is “Yes, we should.” Consider this. As developers we see our solutions from a totally different perspective than Threat Agents see them. Without practicing our own hacking skills, we can become blind to the vulnerabilities a Threat Agent can exploit to compromise the Confidentiality, Integrity, Availability, and Resilience (CIAR) of our deployed solutions. I have previously observed that we need to “Think as the Attacker thinks, not as the Developer thinks.” It will be the strength of the Defender, much more so than the strength of the Attacker, that determines the outcome of a breach of any of our systems. What are some of the vulnerabilities a Threat Agent (i.e. an Attacker) might exploit to compromise our systems?  What have we done to close those vulnerabilities and to mitigate the level of severity of impact of CIAR compromises when a breach occurs? There are a number of attack vectors to consider: If the File Access Protection option is off, then an attacker with even lower-level privileges in the targeted file may be able to print, export, view, edit, and otherwise manipulate data in the hosted solution totally outside many of the constraints that the developer has utilized.  The attacker may also be able to run scripts in the file, even if they are not attached to User Interface elements or present in the Scripts menu.  The attacker may also me able to navigate to layouts in an unexpected and unauthorized fashion. And the Attacker can extract a significant amount of metadata from the file. 

    Are the files open to access by other, rogue FileMaker Pro files? The File Access Protection feature found in the Manage Security area of the file is designed to inhibit this behavior. But the developer must explicitly invoke that option.  When it is in force, an Attacker must know a [Full Access] level password in order to define External Data Source references to our file.
      What about the External API’s that work in the FileMaker Platform? Have you, as the developer, considered how these might provide unauthorized and unexpected access to your files?  Some of these can be disabled via the Privilege Set bits. Examples of these include XML, PHP, ODBC, and JDBC. A Threat Agent could manipulate these and others to gain access to data and to view or to change them. An Attacker could also possibly use these to trigger scripts in an unexpected fashion.

    Other API’s are harder to control, and an attacker can use them to gain access to data, to gain access to metadata, to trigger scripts, and to manipulate the User Interface and traverse among various layouts. These, to varying degrees, include Apple Events, ActiveX, FMPURL, and ExecuteSQL. Developers can control much of this behavior through the use of very finely-grained Privilege Sets. And here is where the self-hacking aspect can play a particularly important role.  Try attacking your own files so you can spot the vulnerabilities a Threat Agent could employ using these API’s. I will have more to say about API’s in a future FileMaker Security BLOG post.
      If a Threat Agent can gain access to a physical copy of your file, then the Agent can mount additional attacks against it. Have you tested for this?  Use of Encryption At Rest (EAR) and removal of the [Full Access] Privilege Set and Accounts with the Developer Tool can help mitigate these type attacks. EAR is particularly effective, since even lower-level access can furnish multiple opportunities for compromise of CIAR.
      How easy is it for a Threat Agent to discover your FileMaker Server? In many instances, organizations need to make their servers available for access via the public Internet. The presumption should be that an Attacker can discover all such servers.  Sometimes this is as easy and as direct as entering the organization’s domain name into the hosts directory of Open Remote.  For example, www.somebody.com will frequently resolve to the public IP address of the server.  If administrators have not enabled File Access Filtering, then FileMaker Pro will display a list of available files.  If, in turn, a Threat Agent can access any of these, mischief can ensue. 

    Alternatively, through a process known as “Google-Dorking” attackers may discover enough information about a server to be able to attempt access.  So, the question is whether you, as the developer or administrator, have investigated how easy it might be to locate your server in any of these ways. It may be necessary to require authentication to access the Local Area Network by use of some process such as a VPN or two-factor authentication to protect these servers from outside access.
      Finally, be sure that you and the FileMaker Server Administrator have implemented a vigorous and robust back-up regimen for your FileMaker Platform deployment.  Test that you can fully restore your system from these backups; otherwise, they are not worth too much at all. Given the rise and increasing frequency of ransom-ware attacks, this is particularly important. Speaking recently about the MedStar Hospital ransom-ware attack  (http://wtop.com/local/2016/03/medstar-paralyzed-as-hackers-take-aim-at-another-us-hospital/) one of the Editors of the SANS Bulletin (a well-known information security news letter) noted: These type activities have also prompted warnings by the US and Canadian governments about ransom-ware and the need to maintain continuity of business operations in light of the threats such attacks pose.  (http://www.computerweekly.com/news/450280335/US-and-Canada-issue-joint-alert-on-ransomware) So, Yes, do hack your own FileMaker Platform deployments. Steven H. Blackwell  
    • 1 comment
    • 1,310 views

Our community blogs

  1. Security Vulnerabilities of FileMaker Platform API’s:  An Update

     January 9th 2017

    In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if ExecuteSQL is included. The central thesis of that article was that these API’s provide unexpected attack vectors to compromise FileMaker Platform files.  As noted at the time:

    Many FileMaker developers are not aware, however, that these API’s have the capability to access customer or client solutions in unexpected ways and to extract or insert data, to manipulate business processes developers embedded into these solutions, and to compromise the integrity of these solutions. 

    Unfortunately, in the intervening nine-month time span, we continue to see cases where several of these API have been used for malicious purposes to compromise FileMaker Platform files’ business process integrity, to manipulate data, and to extract data.  And many in the developer community remain unaware of this problem. In this BLOG entry, I will describe two of these API’s in greater specificity and detail, including describing a variety of attacks they can facilitate.  This article will not discuss the ActiveX API that is available on Windows OS; however, developers should give similar attention to that approach. Developers need to be aware of these items in order to protect their files and those of their clients.

    The two API at the center of this focus are Apple Events and the FMPURL process.  In the earlier article, I noted several elements about these that bear repeating here:

    [These API] cause particular concern because of their breadth and relative ease of use….

    The Apple Events Suite has an extensive set of commands that can read and write data, read metadata, manipulate the UI, and trigger scripts. In addition, they can work outside the normal constraints found on layouts in a file. [http://thefmkb.com/5671]

    The FMPURLcan open a file and run a script in it.  If the file is already open, then the script will still run. [http://thefmkb.com/5560]

     

    A few general comments about both of these API’s:

    ·      They are not platform-specific in the sense that just because a client organization is an all Windows OS environment that it is immune from an Apple Event attack.  It’s the OS of the attacker that controls whether the API can be used.

    ·      There are some ways within Privilege Sets to constrain behavior of these API commands when they are applied on a file. The Export privilege bit can control the ability of Apple Events to extract data from a file. The Layout Access privilege bits can also constrain the ability to see contents of a layout. Likewise, Script Access privilege bits can control the availability of a script to either of these API.

    ·      These API often perform actions in unexpected fashions that fall outside the normal, traditional, and familiar FileMaker Pro User Interface behavior. This is part of what catches developers by surprise.

     

    —Apple Events—

    When a file is open, whether standalone or hosted by FileMaker Server, an attacker can send Apple Event commands to it causing it to perform a variety of actions, including:

    ·      Run any script to which the user has access, irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button.

    ·      Navigate to any Layout irrespective of whether that Layout’s name is in the list of Layouts or not. If the user’s Privilege Set has access to see that Layout, then its contents are visible whether the developer ever intended for the user to view the Layout or not.

    ·      Return various metadata about the file, including such items as Script Names, Value List Items, Layout Names, Field Names, etc. If a user’s Privilege Set does not allow access to the item, its name does not appear in the list returned.

    ·      Put data into any field in the database or extract data from any field, irrespective of whether that field is on the active Layout or is on any Layout for that matter.

     

    Here are several examples of these scripts, all working on a file named Our_Secret_Information.fmp12.

     

    tell application "FileMaker Pro Advanced"

           activate

           go to first layout

    end tell

     

    tell application "FileMaker Pro Advanced"

           activate

           do script FileMaker script "Relog_as_Admin"

    end tell

     

    tell application "FileMaker Pro Advanced"

           activate

           set somevar to name of every layout

    end tell

     

    tell application "FileMaker Pro Advanced"

           activate

           set somevar to name of every field

    end tell

     

    tell application "FileMaker Pro Advanced"

           activate

           set somevar to get data field "CreditCardNumber"

    end tell

     

     

     

     

    —FMPURL—

     

    The FMPURL command’s principal attack vector is that it can be used to run any Script in a file to which a user’s privileges has access. Similar to Apple Events, this occurs irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button.

    If the file is closed, the command first opens the file with supplied credentials, then runs any OnFirstWindowOpen script, and then runs the designated script from the FMPURL command.  As a result of this behavior, a Halt Script step at the end of the opening script has the effect of blocking the running of the FMPURL designated script. Some developers have utilized this technique to block FMPURL calls to scripts in a file.

    However, if the file is already opened or if there is no opening script, then the designated script does run.

    Here is an example of calling a script, again in our file Our_Secret_Information.fmp12 being hosted at a server at IP address 0.0.0.0.

     

    fmp://0.0.0.0/Our_Secret_Information.fmp12?script= Relog_as_Admin

     

     

    —What Is the Significance Of This and

    How Do We Address This?—

     

    One of the many reasons we caution developers against embedding security elements such as Identity and Access Management controls into the data layer of FileMaker Pro databases is precisely because such elements are vulnerable to these API attacks. Think for a minute about that Relog_as_Admin script that presumably relogs into the file with a [Full Access] Account.  If an Attacker can trigger that script and cause it to run, irrespective of what the developer might have intended, then the Attacker has full access to the file. This has actually happened.

    Or, suppose that a developer has made a “Developer_Only” layout in the file, removed it from the list of layouts, and left sensitive information on it. If the Attacker can navigate to that layout, and if it is not protected by settings in the Privilege Set, then the Attacker can learn the contents of the information on it.  This has actually happened in numerous instances, including unbelievably, the appearance of [Full Access] level credentials left exposed on the layout!

    Likewise, suppose that a developer has made a so-called “Privileges Table” with various fields that purport to control whether a user can do such things as create records. Using the Apple Event Set Data command, an Attacker could likely change the values in these fields if they do not enjoy additional protection.  More likely even, the Attacker could simply issue a Make New Record command and create the record.  That is a process frequently used to thwart developer-imposed limitations on the number of records in a demonstration version of a vertical market solution.

    So, what can be done to manage this situation and to prevent these type attacks?  In FileMaker® Pro 15, FileMaker, Inc. added a new Extended Privilege option in the Privilege Set called fmscriptdisabled.  Developers must explicitly invoke this option; it is not a default option.  What it does is to prevent Apple Events (Macintosh OS) and ActiveX commands (Windows OS) from activating scripts, just as the name implies.  It has no impact on FMPURL or on other Apple Event commands that do not involve triggering of scripts.

    Some of the other items in a Privilege Set, notably Export and data layer modification elements, can control Get Data and Set Data Apple Events.  If Export is disabled, then Get Data will not return data from the selected field. In tables where the editing privileges are restricted, likewise, Set Data will not add data to a field.  Creation and deletion privileges behave in similar fashion. Remember, we are talking here only about Apple Events.  Other processes may behave differently. Controlling API behavior is important; however, it is not the only security feature that developers must invoke to assure Confidentiality, Availability, and Integrity of their database systems.

    So, clearly what we need here is a way to block these API from interacting with FileMaker Pro files. FileMaker, Inc. is aware of these issues and has been working on new ways to address them. In the Product Road Map Webinar presented on November 30th 2016, FileMaker, Inc. noted that the next version of the FileMaker Platform will contain a number of additional security enhancements. I am authorized to say that one of those enhancements will be a new process for more closely and granularly controlling several of these API’s.

    At such time as there is any new version of the FileMaker Platform, I will have additional comments and analyses of the issues related to these API’s.

  2. Recently I was asked to implement user-friendly Excel exports on a WAN-based solution, utilizing some of the techniques explored earlier in this series (part 1, part 1.1, part 2, part 3, part 4 and part 5 — all from five years ago). There was just one problem: while performance was great locally, and okay on a LAN, it was […]b.gif?host=filemakerhacks.com&blog=62430


    View the full article

  3. One of the most enjoyable things about working in FileMaker, or any development environment where looping is supported, is the pure joy of automation.

    Even thinking about checking off any more than a few records at a time brings me to a mental state of counting the number of seconds it takes for the single action itself, then multiplying times the number of objects I need to affect.

    So the question arrives. “How do I automate this?” or “How do I make this process easier for the user?”. The answer, quite simply is applying the knowledge you have about solving it. There are, however, times when you just don’t know what can be done to make it even easier.

    In this video, I showcase a technique and method for offering users with the ability to checkmark whole sub-ranges of records by simply clicking a button within a sub-summary area of a list view. It’s a wonderfully sublime method of solving the problem. And, understanding the fundamentals means you can use the method for a lot more than just a simple checkbox.

    Click the title or link to this article to view the video.


    View the full article

  4. When you think of Apple you probably aren't thinking about custom software solutions are you? Learn more about FileMaker and how you can create custom application specific to individual business needs!

    Apple's Secret Subsidiary

    filemaker-headquarters-apple-subsidiary.jpg

     

    David Happersberger
    dbservices.com

  5. Have you ever inherited a system built by someone else, changed a field’s name and everything stopped working? The issue, hardcoded names used in indirection, makes the system fragile. FileMaker provides developers many methods to add flexibility using indirection. However when these instances of indirection are not treated properly they will raise all sorts of problems. In this article we will discuss good practices regarding indirection that will help you build a dynamic and robust FileMaker system.


    View the full article

  6. G'day all! Just posted a new article over at FM Weetbicks, hope you enjoy it. This is a technique that I've used in a few solutions now, mainly for login screens or splash screens where I want to present a pretty backdrop image.  The issue is that when the user resizes their screen or rotates their device, the image can often stretch, distort, or end up with gaps of space if it is set to maintain aspect ratio.

    This article presents a way around that, hope you enjoy!

    https://www.teamdf.com/blogs/dynamically-resizing-backgrounds/

    Quote

    If background images are used sensibly, they can provide a beautiful backdrop to areas of your solution, such as a login screen, splash screen, or indeed the entire solution. FileMaker allows the user stretch the window both horizontally and vertically in any ratio they wish. Anchoring has allowed us to try and compensate for this in our designs, but often images suffer because they are themselves a fixed aspect ratio, and deviating from that ratio will either stretch and distort the image if 'maintain aspect ratio' is off, otherwise result in blank space around the image edge if aspect ratio is on - both options are not ideal for a background image.

    In this article we present a technique that allows you to resize an image and have it re-generate a thumbnail version upon resizing of the layout. This thumbnail version is a cropped version of the original, but respects the original image's aspect ratio.  If you choose your image sensibly, you can make a layout background that looks great no matter what dimensions your window is set to.

     

     

  7. Hierarchical Portal Filtering using FileMaker Pro 15

    By Andy Persons

    Way back in 1996/97, I developed my original hierarchical portal filtering technique using FileMaker Pro 3. Twenty years later, we decided to take another look and update it for FileMaker Pro 15. Several alternate approaches have been developed in the interim for the hierarchical portal filtering technique (including a “lite” approach by my colleague Doug West). After reviewing them, we believe the original approach still has merit as one option to consider.  

    Hierarchy Lite Advantages

    The Lite approach on the hierarchical portal filtering technique focuses on ease of implementation. It works to abstract the hierarchy logic using features like global variables and portal filtering, entailing fewer schema changes and requiring fewer changes after pasting scripts and fields. Download Doug West’s version of Hierarchy Lite Demo  

    Hierarchy Classic Advantages

    The Classic approach to the hierarchical portal filtering technique uses a multikey in a global primary key field to filter records. This requires more work to implement and more schema changes, but can result in improved performance in certain circumstances such as high numbers of related records or WAN deployments. This is because records are filtered at the relational level rather than the portal filter level. Records that won’t be displayed simply aren’t downloaded in the first place rather than being downloaded and filtered after the fact.  

    Leveraging New FileMaker Pro 15 Features

    We were also able to take advantage of several features that have been added since FileMaker Pro 3:

     

    Hierarchical portal filtering screen shot 

     

    • Button Bars: the text for the Expand All/Collapse All button toggle takes advantage of calculated Button Bars
    • Script Triggers: Indented arrows use repeating calculation fields with OnEnter script triggers to simulate “repeating buttons”
    • CSS: allows us to hide the In Focus formatting of the repeating field to preserve the button-like behavior

     

    Hierarchical Portal Filtering FileMaker Pro Download

    Download Revised Version

     

    Hierarchy Advanced 2.0 Features (coming soon)

    This refreshing of the original technique also sets the stage for more advanced features that we’ll be releasing in subsequent demos:

    • Dynamic sorting by any field
    • Drag-and-drop sorting and reassignment

    Stay tuned for Pt2 and Pt3!

    **This article is provided for free and as-is, use, enjoy, learn, and experiment at your own risk – but have fun! eXcelisys does not offer any free support or free assistance with any of the contents of this blog post. If you would like help or assistance, please consider retaining eXcelisys’ FileMaker Pro consulting & development services.

    About eXcelisys, Inc.: Founded in 2001, eXcelisys (www.excelisys.com) is an FBA Platinum Partner and FileMaker Certified developer organization. eXcelisys specializes in designing, developing, customizing, supporting, consulting, migrating, upgrading, fixing, and integrating of database solutions for Desktop, Mobile, and Web applications. Our core technology competencies are FileMaker Pro, FileMaker Go, and MySQL for database frameworks, along with FileMaker WebDirect, WordPress, MySQL, PHP, CodeIgniter, PostgreSQL, Joomla, Drupal, Magento, CSS, HTML5, and Javascript for web sites and web applications. Aside from providing eXcellent customer service, our goals are to use these technologies to intuitively automate your organization’s data solution needs seamlessly and flawlessly across the web, mobile, and desktop platforms. Contact eXcelisys today for a free estimate and consultation about making your business more efficient through intuitive and effective software automation. 866-592-9235 | info@excelisys.com

  8. ChalkboardSK
    Our 2017 FileMaker training series class, Developer Essentials is scheduled!

    Our trainers are Certified FileMaker Developers, who have been developing custom solutions at Skeleton Key for many years.  Please visit our webpage for information, dates, and to register.

    The post 2017 FileMaker Training: Developer Essentials appeared first on FileMaker Development Company.


    View the full article

  9. Let’s Encrypt is a non-profit certificate authority with the mission of spreading the SSL love across the internet. Though they’re not officially supported, we can use Let’s Encrypt to get free SSL certificates to use with FileMaker Server. We will use a PowerShell script and the Windows Task Scheduler on Windows Server 2012 R2 to retrieve and automatically renew SSL certificates through Let’s Encrypt to make sure our connections to FileMaker Server are secure. With this, there’s no reason anyone should have an invalid SSL certificate on their FileMaker Server deployment!

    WARNING: FileMaker does not list Let’s Encrypt as a supported SSL vendor. We’ve had no problems with using these SSL certificates, but can’t make any guarantees for you. This is an experimental script and procedure. Please proceed with the use of this PowerShell script and Let’s Encrypt SSL certificates at your own risk.

     

    Here’s a summary of what we’re going to need to do:

    1. Download the GetSSL.ps1 PowerShell script
    2. Install the Microsoft PowerShell Package Manager
    3. Edit the GetSSL.ps1 file
    4. Change Windows security to allow PowerShell Scripts to run
    5. Install ACMESharp
    6. Run the PowerShell Script
    7. Change the FileMaker Server SSL Connections settings
    8. Set up a schedule to renew the SSL certificate

    Check out the video below for a walkthrough and continue reading for additional instructions.

    1. Download the GetSSL.ps1 PowerShell script

    First, you’ll need a copy of the GetSSL PowerShell script. Download the file using the link below and save it on your server where you’ll want to get the SSL certificate.

    WARNING: This is an experimental script and procedure, and SSL certificates from Let’s Encrypt are not officially supported by FileMaker, Inc. Please download and use this script with the understanding that it comes with no guarantees or warranties, and that you are doing so at your own risk. Blue Feather, Let’s Encrypt, nor anyone else are responsible for what happens to your server or systems when using this script.

    Download the GetSSL PowerShell script

     

    2. Install the Microsoft PowerShell Package Manager

    Windows Server 2012 R2 does not have the PowerShellGet module installed by default, and so we must download it from Microsoft. Visit Microsoft’s download page or PowerShell Gallery to get the latest version of PowerShell for PS 3 and 4. Download and install the very small file. This will allow us to more easily install the modules we need to make this work.

     

    3. Edit the GetSSL.ps1 file

    The script file needs to be edited so that it know the address you wish to get an SSL certificate for. Right-click on the ps1 file and select edit to open a text editor. Change the address, email address, and (if necessary) the FileMaker Server install path variables to reflect your server’s information and your contact information. Let’s Encrypt will use this contact information to reach out to you if there is a problem with the SSL certificate that they have issued to you.

    edit-powershell-script

     

    4. Change Windows security to allow PowerShell Scripts to run

    Windows Server will not allow you to run PowerShell scripts by default, so you’ll need to modify your security settings to allow this. Open PowerShell or PowerShell ISE as Administrator using the “Run as Administrator” option and enter the command:

    Set-ExecutionPolicy -Scope LocalMachine Unrestricted

    Enter “y” and press enter to accept the security warnings that appear.

    Note: PowerShell must be Run as Administrator for this step and all subsequent steps, or you will receive errors. Be sure you are running PowerShell or the PowerShell ISE as Administrator using the “Run as Administrator” option, not just a user named Administrator.

     

    5. Install ACMESharp

    We’ll be using the ACMESharp PowerShell module to communicate with Let’s Encrypt to get our SSL certificate. Install the ACMESharp PowerShell module using the command:

    Install-Module -Name ACMESharp

    Enter “y” and press enter to accept the security warnings that appear.

     

    6. Run the PowerShell Script

    WARNING: Running this PowerShell script will restart your FileMaker Server service, abruptly disconnecting any active users. Make sure that nobody is connected to your server before you run this script.

    With ACMESharp installed and our security settings adjusted, we’re now ready to run the PowerShell script. Make sure nobody is connected or using your FileMaker server and then run the GetSSL.ps1 PowerShell script by navigating to the directory you have it copied to in your PowerShell window and entering:

    .\GetSSL.ps1

    A bunch of text will scroll by in the PowerShell window as the script requests, fetches, and installs your SSL certificate. Your FileMaker Server service will then be stopped and started again automatically.

    Your SSL certificate should now be installed! Go to your FileMaker Server admin console to make sure you’re seeing the new SSL certificate. You may need to close and re-open your browser if you had the page open already.

    7. Change the FileMaker Server SSL Connections settings

    The SSL certificate is installed, but we want to force FileMaker Pro and Go clients to connect securely to our server. Log in to your newly secured FileMaker Server admin console. Select the Database Server options from the list on the left and then the Security tab at the top of the page. Check the “Use SSL for database connections” option (as well as “Use SSL for progressive downloading” if you would like) to force FileMaker Pro and Go clients to use a secure connection when connecting to this server. Save your changes and then restart your FileMaker Server service on your server machine.

    FileMaker Server Admin Console Settings

    Your FileMaker Pro clients should now show the green lock icon when logging in to this server, indicating that the connection is secure.

     

    8. Set up a schedule to renew the SSL certificate

    SSL Certificates from Let’s Encrypt are only valid for 90 days and must be renewed before that time. Let’s Encrypt does this purposefully to encourage automation and increase security. In that spirit, we should set up an automatic renewal for our SSL certificates so that we don’t need to manually re-run this every couple of months. This process is similar to setting up a scheduled script in FileMaker Server.

    Move the GetSSL.ps1 file to a relatively permanent location on your server and then open the Task Scheduler, which we will use to set up a new scheduled task.

    Once you have the Task Scheduler open, right-click on the Task Scheduler Library icon on the left side of the window and select the “Create Basic Task” option.

    screen-shot-2016-11-09-at-4-57-53-pm

    Give your task a name and description so that you can recognize what is is and then press Next. Select a frequency for this task to run, such as Monthly and enter the times you wish the schedule to run on the next window.

    Enter “PowerShell” in the “Program/script:” field. Enter the path to the GetSSL.ps1 script in the “Add arguements (optional)” field. This should be a full path like C:\GetSSL.ps1.

    Click the next button to review, and select the “Open Properties” checkbox. Complete the setup and the properties window will open for you to make final adjustments to this schedule. You can edit the triggers and scheduling here, but the important thing we need to do is change the security options.

    Select the “Run whether user is logged o nor not” radio button and enter your password to allow the script to run even if you’re not logged into the machine. Also be sure to check the “Run with highest privileges” option to make the script Run as Adminstrator, which is required for the script to work properly.

     

    Done!

    That’s all that you need to do! Your script should run automatically at your scheduled time to renew your SSL certificate with Let’s Encrypt. Keep in mind that your FileMaker Server service will be restarted after getting the new SSL certificate, so be sure to schedule it for a time when people will not be active in your system.

    This is an early version of this script and there is quite surely room for improvement. Please let me know if you have any suggestions or run into any issues using this scripting. Let’s make the FileMaker community a secure one!

     

     

     


    View the full article

  10. Here’s a little update from my previous blog “Let’s Get Certified”… I passed! Now I am proudly a part of the certified developers of FileMaker.  Having achieved both version 13 and 14 certification it is now time to get ready for…. version 15! Instead of going on about how to prepare for the next exam,...

    LinearChat?d=yIl2AUoC8zA LinearChat?i=ZRLJ9Rz8lNs:M5iltGF9Eak:D7DqB2pKExk LinearChat?d=qj6IDK7rITs LinearChat?i=ZRLJ9Rz8lNs:M5iltGF9Eak:F7zBnMyn0Lo LinearChat?d=7Q72WNTAKBA LinearChat?i=ZRLJ9Rz8lNs:M5iltGF9Eak:V_sGLiPBpWU LinearChat?i=ZRLJ9Rz8lNs:M5iltGF9Eak:gIN9vFwOqvQ
    ZRLJ9Rz8lNs

    View the full article

  11. Welcome to the fourth and final part of the FileMaker iOS App SDK series. In the final part of the series I will take you through building and compiling the iOS App. If you haven't yet read through parts 12 and 3; now would be a good time to go take a look.

    Continue Reading...

  12. [ Edit: 3/16/2016 - With the help of some other people, we have been able to recover, or recreate some of the original images from original thread. ]

    Security is always a big topic when it involves data, or people, or possessions. Recently, over on the FileMaker Community, there was a very beneficial discussion regarding security. Unfortunately, that discussion was the victim of a necessary action...and was deleted. It was deleted, because the discussion was tied to a video that, as was determined throughout the thread, was not beneficial to the overall community of FileMaker users and developers. When that video was removed, the discussion vanished with it.

    This post is specifically targeted at recompiling that discussion, because at it's core represents an important message that is necessary to convey and support. That is, creating ersatz security systems can introduce security vulnerabilities. In my experience, I have only seen 1 (one) approach that increased security while adding a 2nd factor of authentication. And it was complicated and not easily set up...and in the end, comes with it's own set of drawbacks.

    One of the main things I took from the below discussion ( and it's a long discussion!! ), is this: What is the point of attempting to add a layer of security that does NOT increase security?! If the approach does not INCREASE security, why would you market the approach as a security technique?! The answer to that is the reason why the video that launched the discussion was deleted.

    While I had much internal debate about the best way to republish the info from this discussion, in the end I decided ( with much input from others ), that just posting the discussion in it's entirety was the best thing. And in doing so, know I have, as do those that gave their input, nothing but respect for all those involved in the discussion. So that is what follows. One very important note: the discussion is one of learning. And I truly believe that no one involved in the discussion came out looking 'bad'. One could say, 'well yeah Josh, you didn't end up being wrong in the thread, so you don't care'. I assure you, I have been wrong in MANY discussions. In fact, I had a similar discussion with Wim Decorte in another thread several months before this one. As I researched, and tested...I learned not only was I wrong, I learned I NEEDED to change something in my development. Without any further introduction, here is the thread:

    Original Discussion Thread from Community.FileMaker.com, a Video with an interview with well-respected developer Taylor Sharpe:

    =================================================================

    Date: August 12, 2015 at 5:42 PM ( Date of Original Video Post )
    Title: Free Video>>> Two-Factor Authentication w/ Taylor Sharp

    =================================================================

    November 27, 2015 at 8:20 PM by Taylor Sharpe

    Thank you for your interest in this video. It is an additional tool to the suite of FileMaker Security tools to help improve security. This video shows you how to enhance an already implemented security plan to make it even better by adding hardware verification. This tool has minimal impact on staff and uses tools currently available in FileMaker 14. This video shows how to use hardware verification as the 2nd factor authentication similar to how Google and Apple currently implement it. This tool makes use of the current security standard of verifying hardware with Persistent ID as well as FileMaker tools including a start up script and email or text messaging notifications. 

    Additional advice: In conjunction with two factor authentication, you should make sure you already are following the FileMaker security guidelines. Security is one of the cornerstones of a good solution and you should make use of least privileges necessary for users, appropriate password guidelines, consideration of external authentication services such as Active Directory and Open Directory, client-server SSL encryption with 3rd party authentication, Encryption at Rest, backups (yes, that too is a part of security), and physical security. 

    Caution: This 2nd factor authentication is only designed to work in conjunction with the other FileMaker security tools to enhance security and you should not rely solely on this as a single factor of authentication because it is only a hardware verification. Security is a constantly changing field. If you follow FileMaker’s Security Guidelines, you will have a robust and secure server. Additional security tools like this should be considered, as well as documentation of security controls in a security plan. There are additional tools available such as token passing, plugins with higher level encryption, biometrics, etc., that go beyond what is included with FileMaker that may have merit. At a minimum, you should evaluate your server’s security with some type of review or audit on an annual basis.

    I wish you all the best and encourage you to make sure an appropriate amount of time is allocated to security when you are developing your solutions. DEMO FILE: Can be found at <sample file> ( link removed ). It is UU encoded, but ready to go with full access for Admin user account and no password. Feel free to make use of the sample file to copy scripts or layouts as you may need. Appropriate credit would be appreciated. Thanks.

    =================================================================

    November 28, 2015 at 7:50 AM by Wim Decorte

    To be very clear: it is NOT true 2-factor authentication since it relies on the user already been authenticated and allowed into the solution before the 2nd factor comes into play...

    =================================================================

    November 28, 2015 at 2:16 PM by Taylor Sharpe

    It might be a bit of splitting hairs, but not inaccurate. You are in FileMaker in-so-much as you are logged in and being processed by a start up script for further validation. But a regular user can't escape the script. The way to meet Wim's definition of Two Factor authentication is to have some other program perform that two factor authentication prior to FileMaker's credentials or FileMaker add this security feature and it reside outside of FileMaker scripting and before getting logged in (boy that would be nice, FileMaker, Inc.!). The assumption I was working with is that people are limited to FileMaker tools and you cannot avail yourself of those tools without being inside of a FileMaker solution to run the 2nd factor script. This means things like turning auto abort off. And it is a security improvement over single factor authentication, but it is not invulnerable. For example, someone with Full Access will be able to enable the script debugger and this is a reason to be very limited on who has Full Access and make sure those passwords are strong.

    Tim Dietrich's FM Authenticator and others have done similar Two Factor authentications with FileMaker, but they all use a startup script like this one and are therefore subject to the vulnerability Wim points out. Just keep in mind that this can be an improvement to security assuming you have fully implemented the FileMaker security guidelines already and this is an ADDITIONAL tool, not an exclusive one. For example, it would be a bad idea to use this 2nd Factor authentication and tell people that they only have to use User ID's, but no passwords.

    Thank you for the comment Wim. It is good that we all understand how security works and where its weak points are.

    =================================================================

    November 28, 2015 at 6:28 PM by Wim Decorte

    I don't think it is splitting hairs; it's about calling things what they are. We certainly don't want people going around saying that FM does support 2FA when it does not. I'd hate to be part of a security audit where someone proclaimed that FM does 2FA based on this or a similar approach...

    As to the level of security: while a user can not escape out of a script by simply pressing ESC, there are ways to stop scripts so relying on a scripted security system does not usually enhance security but rather introduces potential vulnerabilities.

    =================================================================

    November 29, 2015 at 2:47 AM by Taylor Sharpe

    <Post deleted by Taylor Sharpe>

    =================================================================

    November 29, 2015 at 7:38 AM by Wim Decorte

    Very disappointed in this reaction. Since when is a difference in opinion "inappropriate and unprofessional"? And I do not appreciate the insinuation that I am not a professional or worthy of working for Soliant Consulting, nowhere in my replies did I ever attack your integrity or the company you work for.

    If 2FA is a requirement then I would suggest using technologies that do have full & native 2FA: like logging into the OS through 2FA and then use EA for access to the FM application.

    I do withdraw from this conversation, not because I'm being told to by you, but because once a respectful debate over differing opinions is not welcome, then I do have nothing further to contribute.

    =================================================================

    November 29, 2015 at 7:12 PM by Josh Ormond

    I am very surprised at this response, having seen the response before it was deleted.

    The problem that Wim is pointing out is a real issue. We can call something 2FA, but if the person is IN the file after the first factor, for compliance reasons and technical reasons, it really is not 2 Factor Authentication. Because the 1st factor allowed them in, and you can't from there stop them from accessing the file. Simply put, one can easily stop the script from running and add their device as an approved device and access everything in the file. I don't see how that is increasing the security of the file. It only gives a false sense of security. Which leads to larger problems. This file, having never seen it before, took me no more than 15 secs to authorize myself to access the file from any device I want, using nothing more than the tools provided in the file. I only need one-factor to get in now...anytime I login.

    If one where to promote their solution as a compliant solution using 2FA, they could be opening themselves to hefty fines. As Wim said, if 2FA is required, you need something that prevents you from getting into the file with 2 factors.

    Though I do like Tony White's response to this discussion in another place: Maybe we should call it "1+1 Factor Authentication".

    =================================================================

    November 29, 2015 at 7:58 PM by Tony White

    Thanks Joshua Ormond for the shout out. Here is the twitter perma-link to the thread.

    https://twitter.com/tonywhitelive/status/670721676464779264

    I implement security that uses the built in tools and at the same time am open minded to creative ways of adding to security...as long as they successfully address defined use cases. Know the rules and know when you can extend them...

    On a separate thread I proposed the idea of a security contest with a monetary price. https://community.filemaker.com/message/517290#517290

    Interesting topic. Lots of considerations to factor in when coming up with best practices.

    =================================================================

    November 29, 2015 at 8:22 PM by Taylor Sharpe

    Joshua, I deleted my own response and not FileMaker because I was offended by Wim and the way I worded the response was not professional. My bad and apologies to Wim.

    I think there can still be a good discussion. Two Factor means that two methods are being used for authentication. Providing additional requirements on what makes another factor a real factor or not does not make it not another Factor even if it is not as robust as other possibilities. Wim does bring up a point about why it is not as robust as other 2nd factor authentication implementations because the 2nd factor is done within the solution and not before you are in the solution.

    The solution I provide in the video uses the tools available from FileMaker. Within the constraints that FileMaker scripting tools provide us, it is a good security control. That is not to say going outside of FileMaker's tools or asking FileMaker to build a second factor authentication into the application would not be better, but those are not tools readily available to most of the users here. The solution provided improves security and it is a second factor of authenticating even though Wim correctly points out the 2nd factor is done within the solution.

    The point I am making is that implementing this 2nd factor authentication, even with its limitations, is better than not implementing it.

    There are a lot of OS level two factor authentication solutions including not only User ID/password, but tokens, or VPNs that would be required before you would have access to the FileMaker solution. They may be worth some discussion here too. But those are beyond what is trying to be addressed in this type of solution.

    =================================================================

    November 29, 2015 at 9:40 PM by Josh Ormond

    I get the attempt. The concern I have with it is, it required only 1 factor for me to be in the solution and using it. If I didn't provide an email, it let me use the file anyway. Without ever requiring factor 2.

    In Tim's solution for what he also called 2FA, at least the user was left in a low-level account. But even with that, I could edit and hack the file to pieces. Simply because I could get in.

    Authentication itself is the process of deciding if someone has authorization for access. Two factor authentication is at it's core really supposed to happen before the person gets in the file. FileMaker doesn't provide a second access control for logging in. Though I do wish they did. It should be a feature request.

    For reasons exactly like this, the data is at risk once the person is in the file. Even worse, for something that is script driven, I can stop the script from running and there is no trace that I even logged into the file.

    I'm not hear to add fuel to an argument. Simply to voice a warning that for even a fairly new user, the approach can be easily circumvented...and when it comes to compliance, users/owners/database admins, need to know that. I would hate to see someone get hit with fines because they assumed an add-on security method was "safe". For compliance, there are other ways to secure the file and the data. Security 'add-ons' typically don't add any security. Just another layer of steps to get in. I say this simply because I have see too many solutions that owners thought were 'safe'...to which I was in reading them sensitive data while they were still explaining how to login the 'right way'.

    And I'm glad to hear why you deleted the post. Both yourself and Wim are worthy of greater respect.

    =================================================================

    November 29, 2015 at 11:00 PM by Taylor Sharpe

    Josh... I gave you a file with Admin and no password. This is a completely OPEN Admin with Full Access and no password. Of course you got in. You would not have gotten in with one where it automatically logged you in with Admin and Full Access. So you would not have gotten past the first factor, let alone the 2nd.

    This database was left open as a development tool. Hacking it is as simple as opening it up because it defaults to the Admin with no password. You did not hack into it and your comments to this effect are not helpful to people reading this discussion. It implies you have some ability to defeat this solution when properly implemented and you have not provided any information to show that you have those skills, making me doubt that you can. But I will be glad to provide you a hosted solution properly implemented and be glad to give you a shot at it.

    OK, that aside, Tim's solution did get you in with a low level User Account instead of whatever account you are in. The reason I went the way I did was because this is supposed to make things easy on staff instead of dealing with multiple logins and multiple passwords. The goal was to improve security while making it easier on the staff. This solution adds significant security with very minimal impact on staff. No it is not a perfect solution, and no control in a database ever is and you are should have many controls in a secure system. Most security plans identify hundreds of controls in every solution. You have to have multiple layers of control from least privileges to encryption. This 2nd Factor is NOT a sole security tool. It is used to enhance security with minimal impact and be easy to implement with the tools FileMaker provides.

    This control as a 2nd Factor authentication is not perfect and is designed to work in coordination with other security controls. If you know about security plans, you know that most controls have some weaknesses. But you do not dismiss a control that is generally effective because where one control may not stop an intruder, another one will and it is the combined effectiveness of controls that makes the security. Removal of an imperfect control can weaken a security plan and removal of controls has to evaluate whether their imperfection is beneficial compared to not being there at all.

    I still stand behind this being a simple solution that enhances security with minimal effort and using tools already provided by FileMaker. I challenge that those of you dismissing such a simple control that benefits security are lacking in good security judgement unless you are providing some improved alternative.

    =================================================================

    November 29, 2015 at 11:19 PM by Josh Ormond

    I am not dismissing it completely. If some choose to use it, that is part of their own risk assessment. I do challenge the name. Primarily because I can prevent the 2nd factor from ever firing, very very easily.

    I am aware of how you set up the file, and it's intent. I will assure you my test was thorough. I have tested several of these types of security measure. In some cases businesses decided to continue to use it. It was simply a user "trust" mechanism. In the meantime, we secured the file by other means. Some left it as is. Some abandoned it completely. That would be the owner's decision to make.

    I will also step of of the conversation. I think there is just a core difference in the thought about what increasing security means. Which is at the heart of the matter. I hope for the best for you.

    =================================================================

    November 30, 2015 at 8:50 AM by Wim Decorte

    Taylor Sharpe wrote: “I challenge that those of you dismissing such a simple control that benefits security are lacking in good security judgement unless you are providing some improved alternative.”

    An improved alternative was already mentioned earlier: do the multi-factor authentication upstream from FileMaker.

    These security implementations are never done in a vacuum and all angles should be considered, not just how the behaviour can be mimicked in FM. The first thing to be open about with the customer is that FM does not do native multi-form authentication.

    So the alternatives are:

    - discuss with the client how 2FA can be done before the solution gets launched and how it can be combined with things like External Authentication for the FM solution. This keeps all authentication strictly at the FM security level and does not add any vulnerabilities.

    - discuss the security risks of the FM scripted approaches to mimic 2FA and if those are acceptable given the risk appetite of the client and the compliance requirements.

    If neither are acceptable to the client then FM is probably not the right platform for the solution.

    =================================================================

    November 30, 2015 at 9:38 AM by Taylor Sharpe

    Josh, I don't think really do understand. But I am more than willing to eat crow if I have misspoken and certainly willing to learn. So I have hosted the file on my development server at <link removed>. Please let me know when you are able to get in and how you did it.

    Thank you, Wim. I concur with you that an "upstream" approach can be a good one to implement two factor authentication. And most everyone has some type of upstream security even if it is as basic as a User ID and password to get into a computer, but many companies do a lot more such as some form of 2 factor authentication, VPN connection, tokens, etc. I also agree with you Wim, that FM does not have native multi-form authentication at the application level. But that is something us developers can't control, and something I would encourage FileMaker Inc. to consider in future versions. It would be a nice security improvement tool.

    However, within the tool set available to FM development, the 2 Factor authentication described above works and improves security, and will have a smaller hurdle to implement than most of the suggestions you have made. My goal was to keep things simple with the tools available inside of FM to improve security, and I have met that challenge within those criteria.

    =================================================================

    November 30, 2015 at 9:41 AM by David Zachary

    I’ve been watching this thread with interest and a degree of amusement. My post may not have any substantive benefit to the thread, but it makes me feel good.

    It reminds me of when Bill Clinton was going through his impeachment hearings. During an interview he was asked "was it sex?" and straight faced he replied "it all depends on what your definition of 'is' is". This thread has gotten to that point - what is the definition of 2FA? Clearly there are different opinions.

    Having both parts of a 2FA system inside of a FileMaker solution, while technically 2 factors, is like having an alarm system on your house to compliment the door lock. You feel secure but somebody fast enough with enough skill can still break in and grab something valuable quickly. You've got 2 security measures but still got robbed. The better solution is to have an electrified fence and a moat around your house - everything of value is protected by measures not directly connected to the house. FileMaker security should be the final line of defense, not the first and not the only. Calling a system that has both factors inside of the target database as supporting 2FA is dodgy unless all parties are using the same definition of what 2FA is - while you say its 2FA, any client that has to follow government or corporate-defined 2FA specifications will likely disagree.

    I'm not going to repeat what others have said (too much), but FileMaker does not natively support a 2FA system. You have to do it elsewhere. If your data requires that level of security, you need to look at supplementing the security infrastructure outside of FileMaker, long before an intruder gets to the FileMaker-level.

    Thankfully Stephen Blackwell isn't on here much anymore. He would have probably had a stroke by now. His views on custom-developed security methods are well documented.

    Back to watching from the sidelines.

    =================================================================

    November 30, 2015 at 10:09 AM by Josh Ormond

    I understand both the intent of what you are arguing for, and have in the past felt the same way. However, I think you misunderstand me.

    FileMaker's own built-in security is in itself the strongest security you can get with FileMaker. By turning on EAR, securing the physical server, setting up proper privilege sets and users, and limiting the ability to edit/create/delete privilege sets, and by using Extended Privileges, and in many cases using EA...you are secure and safe with your data.

    With that, without the user name and password, one can NOT get into a hosted file remotely. That is one of the great parts of FM security. And you know that part as well.

    What I am saying...the average user can stop your second factor, very easily...so it does not enhance the security. I have seen so many poorly implemented security add-ons in FM. Because the developer or user was trying to imitate another security functionality. It looked like they were enforcing 2FA...but in reality not even one of the users actually ever completed the 2nd factor.

    In essence, it feels like putting a second deadbolt on your door, but putting the lock handle ( normally inside ) on the OUTSIDE. It doesn't do anything, other than give some more strength to the door...so someone would have a more difficult time kicking in the door. But if someone already has the key for the other deadbolt...they simply spin the lock handle and walk in. Zero added security.

    In this case I need to nothing other than stop the script from running. So with a log in, I can log in from ANY device. Not to mention there are serious problems with Get ( PersistentID ) on Windows, so it's simply not reliable.

    =================================================================

    November 30, 2015 at 10:19 AM by Taylor Sharpe

    OK, Josh, this moves us forward some and thanks for the comments. How about this, what if I put a non-Full Access User account in that File. Are you able to defeat the 2nd factor? For example, I just added a "Josh" account with no password and it is set for the privilege set "Data Entry Only", but has no authorized devices.

    Also, I'm interested in learning more about the problems with Get ( PersistentID ) on Windows.

    =================================================================

    November 30, 2015 at 10:32 AM by David Jondreau

    “without the user name and password, one can NOT get into a hosted file remotely."

    That is the whole point of 2FA. You can put all the locks on the doors you want, but if your user leaves the key under the mat, your file is compromised.

    2FA is not some miracle security feature. It simply is a philosophy that to improve security, users should have 2 of 3 different things: something they know (username/pass); something they have (a specific cell phone); and/or something they are (a fingerprint). Yes, the line between some of these categories is blurry, but the point isn't to get involved in a semantic debate of whether a fingerprint is something you are or something you have. The point is to improve security.

    I have not watched Taylor's video (I hate watching videos). But I have looked at the sample file, which in my opinion, doesn't do a great job at improving security since the only user account is full access. But it's a sample, for developers to look at, so it's not a real world scenario. And maybe there's more in the video.

    Regardless, the point is the file already requires a username and password. Taylor is *already* doing the minimum of requiring one factor (something you know). He is adding on an additional "factor" of a device. Is the implementation effective? I'm not sure, but I certainly don't see where the criticism of the underlying principle is coming from.

    =================================================================

    November 30, 2015 at 10:46 AM by Josh Ormond

    6 Months ago, I would have written the same thing you did. However, having seen a similar 2FA system implemented and relied on in a medical environment, unless there is something else involved does not meet some of the compliance standards.

    Penalty fees are typically based on the number records. I have seen customers get fees into the $10s of thousands of dollars as a result. That is the primary reason for the strong reaction. If a customer wants to use it, that's up to them. I'm not opposed to it, as long as the purpose is to simply increase security.

    The reference to leaving the key out is a user thing. I am referencing the developer actions. The user behavior is a separate issue from file security.

    =================================================================

    November 30, 2015 at 10:49 AM by Josh Ormond

    With the current setup, the data-entry account can't even fire the startup script. So even with an authorized device, one could not get in.

    =================================================================

    November 30, 2015 at 11:01 AM by Taylor Sharpe

    Oh, you are right, Josh. I didn't give the Data Entry fmapp extended privilege set. I have fixed that now.

    =================================================================

    November 30, 2015 at 11:18 AM by Richard Carlton

    Very interesting. Taylor, ideally you wouldn't spray the table of secure data on screen... but I guess

    that makes the hack that much more interesting. LOL! I guess we have Taylor's 2nd authentication.

    So the challenge now is to stop the script and get access to the file... or otherwise spoof it with Taylor's info.

    Josh, if you know how to hack this... that would be alternately cool... and also scary to see. Its not immediately obvious to me how to stop the script engine.

    I am genuinely curious how you do this.

    I think for the point of the exercise... we should assume EAR is enabled... and so reading network traffic with a packet analyser won't work.

    - RC

    =================================================================

    November 30, 2015 at 11:29 AM by Taylor Sharpe

    Richard, yes, I didn't mean to mess that up for Josh, but it is fixed now so the Josh account can get in and I did it to confirm it works.

    And, yes, EAR has been done, SSL 3rd party encryption is on, and using FileMaker Security (not AD/OD). Running on FMS 14.0.4 on a Mac OS X 10.11.1 Mac Pro Black Cylinder.

    =================================================================

    November 30, 2015 at 11:41 AM by Richard Carlton

    Ok... well... let's make it fun. I'll put up $200 for anyone who can hack the file and get into it in a meaningful way. Read only access would be good enough... to be able to read another layout with data on it.

    To Win, you must be able to do a screen share to demonstrate how you hacked the file... and I get to interview the winner. Then you get the $200 USD.

    - RC

    =================================================================

    November 30, 2015 at 12:40 PM by Josh Ormond

    Dangerous. You are going to owe me $200. Note, not only did I get in, I authorized myself for future log-ins, and altered other data. And if I wanted to be nasty, I can lock everyone out by hosing the PersistentID.

    Did you want to see the Device Access also?

    2FA001.thumb.png.cd289977f3155ecbed242f5

    =================================================================

    November 30, 2015 at 12:43 PM by Josh Ormond

    Here are the approved devices also. Note in both of these screen shots, the Persistent ID isn't not even the one from my machine..it still lets me in.

    2FA002.thumb.png.d2d5f31efa219a0aba5be3b

    =================================================================

    November 30, 2015 at 12:53 PM by Wim Decorte

    Ha, you beat me by about 10 minutes.

    In case someone wants the data in excel...

    Information copy.xlsx

    =================================================================

    November 30, 2015 at 1:31 PM by Taylor Sharpe

    OK, good job Josh and Wim, in breaking the 2nd factor. I guess this means you got around the Allow User Abort Off, which I am not sure how that is done. Would you like to share with us how you did that step? I just want to learn more about this and kudos to both of you. Lets just make this a learning thing. Thanks.

    =================================================================

    November 30, 2015 at 1:41 PM by Wim Decorte

    Working on that. But at the risk of sounding unduly snotty: this kind of info needs to be part of bigger message that is being worked on; so "not yet".

    For now the focus point is on not trying to roll your own security using tables and scripts. Stick with the native FM features. Your first factor works like it should.

    =================================================================

    November 30, 2015 at 1:43 PM by Richard Carlton

    Hi Josh,

    I wouldn't say $200 if I didn't mean it. LOL. Hell, I frequently give cash away to presentations to make sure people are not sleeping. :-)

    Please arrange to call me to discuss.

    - RC

    =================================================================

    November 30, 2015 at 1:46 PM by Josh Ormond

    Will you be at DevCon next year? Maybe we can show you in person. Definitely not something I would post in a public forum.

    The main thing is that anything you allow me to do in the privilege set is the only thing that determines what I can and can not do. Scripts do not prevent anything. Obscurity does not prevent anything.

    =================================================================

    November 30, 2015 at 1:48 PM by Taylor Sharpe

    wimdecorte wrote: “Working on that. But at the risk of sounding unduly snotty: this kind of info needs to be part of bigger message that is being worked on; so ‘not yet’.”

    Take your time... I just want to learn and make sure others are learning too. Your input is appreciated.

    =================================================================

    November 30, 2015 at 1:50 PM by Richard Carlton

    Frankly...this is an excellent conversation. I like it... as it allows for valuable knowledge sharing. Just telling people "don't do it"... isn't always the best way.

    - RC

    =================================================================

    November 30, 2015 at 2:03 PM by Josh Ormond

    This is a good, brief read. And also has a link to Stephen Blackwell's info on the FMPug site.

    http://fmforums.com/blogs/entry/830-an-exploit-based-approach-to-providing-filemaker-platform-security/

    =================================================================

    November 30, 2015 at 2:04 PM by Wim Decorte

    Richard Carlton wrote: “Just telling people ‘don't do it’… isn't always the best way.”

    Yep. The "why" has been covered many many times however. Steven Blackwell has talked about this at many devcons for instance.

    =================================================================

    November 30, 2015 at 2:18 PM by Taylor Sharpe

    Yes, what was stumping me was I understood how Wim got in looking at tables. I didn't understand how Josh saw the actual layouts since he posted a picture of it.

    Anyway, I've changed the Security "File Access" to require full access privileges to use references to this file. So that would fix that vulnerability and it is a good point to remind people about before moving a database into production.

    And Wim reminds us that Mr. Blackwell shows us this technique at Devcon and he did this past summer too.

    It does make you wonder if that should start to become a default setting on new files.

    =================================================================

    November 30, 2015 at 2:19 PM by Taylor Sharpe

    oh, when I reposted it with the fix, I removed Josh and created Wim with no password.

    =================================================================

    November 30, 2015 at 2:25 PM by Richard Carlton

    Yah...that security setting needs to be more prominent. I remember people doing this in the FM 5 and 6 days.

    =================================================================

    November 30, 2015 at 2:43 PM by Richard Carlton

    Cash Payment Made $200 to Josh!!! I always make good on our contests.

    =================================================================

    November 30, 2015 at 3:33 PM by Wim Decorte

    Richard Carlton wrote: “Yah...that security setting needs to be more prominent. I remember people doing this in the FM 5 and 6 days.”

    Agreed. The whole security interface needs to become more intuitive and complete.

    Note that closing this particular hole does not make the scripted 2nd factor safe though I'm traveling this week so I won't have to play with this anymore until the end of the week.

    =================================================================

    November 30, 2015 at 3:45 PM by David Jondreau

    I can think of at least 3 ways in.

    I'm not sure what Josh and Wim have been up to, but one was File Access.

    The second I'm still playing around with and it may be similar to Josh.

    The third is a much bigger deal.

    =================================================================

    November 30, 2015 at 5:48 PM by Richard Carlton

    Yeah... the File Access Trust features should have been enabled. Thats low hanging fruit. The rest of these are more interesting. - RC

    =================================================================

    November 30, 2015 at 6:15 PM by Matt Petrowsky

    What I've got to say is tangential to the immediate topic, but I've been wanting to say it for a while.

    I've been stewing on this whole "ersatz" security thing for quite a while. While I will fully agree with advising the general developer population about not creating their own login system, there are times and places where it's warranted. In particular, if you are wanting to use FileMaker as a development tool for end-user solutions where you really don't want to deal with FileMaker's account limitations.

    To that end. I'm posting a PDF I just created about the security model I use on systems where I DO create my own ersatz login system. Poke holes in it and tell me where you think it might fail. I think it's pretty robust - since it simply emulates the whole login system of most modern software.

    Please review and send feedback. I can start another thread, but I see that the people who are here now will see this and provide me with feedback.

    The biggest argument I have against the "FileMaker security only" proponents is that just because you can get into a FileMaker file does not mean you can do whatever you want within the file - especially, if you know how to limit the risk exposure. I make the analogy that if I can go to your web site and see some stuff then it's no different than opening a FileMaker file and being able to see some stuff. Moving from one level of access to another always boils down to one line of code somewhere. I look at FileMaker the same way. I can let you into my file, but I won't let you do or see anything I don't want you to.

    Check out the attached PDF and tell me what you think.

    https://dl.dropboxusercontent.com/u/1211710/Secure%20FileMaker%20Login%202015-11-30.pdf

    =================================================================

    November 30, 2015 at 6:46 PM by Taylor Sharpe

    Good read, Matt. I've just been through it once and it seems very thorough. I'll have to chew on it a bit to see if I can think of other things.

    While sticking with FileMaker security is the safest and easiest, I know there are some times when we need something different. While this seems very foreign to FM, it actually is rather common in SQL engines to have stored User ID's and hashed passwords and maintain privilege sets, etc. One real benefit of FileMaker is how strong and simple their built in security is integrated into a solution and how much harder it is to do in other systems where security isn't built in.

    Thanks for the PDF, Matt, and I'll be doing some more reading on it.

    =================================================================

    November 30, 2015 at 8:46 PM by Josh Ormond

    Lots of good stuff there Matt. There are probably a few ( very few ) developers in the community that I think could execute something that is very secure. But I have only ever seen 1 such system as of yet, and it was way outside of normal thought. And unfortunately, from a developer that is not longer active anywhere and their email is defunct. When I had seen the file 6 years ago or so, I was too much of a newbie to know exactly what I was looking at.

    The issue, even for the best of developers, that I see is...in 6 months, you have changed your approach for things slightly. It requires a complete rework ( or reminder ) of your security settings to ensure you don't open a hole. With any restriction that is imposed via script, it can be completely circumvented and data viewed/stored outside of the database. It's clearly something that is on the mind of any developer of any platform. But all one needs is the privilege set to allow the user to view data.

    I definitely see a great need for a more robust security scheme. I would like to see native 2FA in FileMaker. That is at the top of my list. Outside of that, FM security and Extended Privileges, and External Authentication have served me for almost everything I've needed.

    =================================================================

    November 30, 2015 at 9:57 PM by Wim Decorte

    Matt Petrowsky wrote: “The biggest argument I have against the "FileMaker security only" proponents is that just because you can get into a FileMaker file does not mean you can do whatever you want within the file - especially, if you know how to limit the risk exposure.”

    Hi Matt,

    In that "knowing" lies the conundrum, right? To loosely quote Mark Twain: "It is not what you don't know that hurts you, it is what you know that isn't so".

    I think the overall discussion would be much easier if more people acknowledge that scripting your own security solution introduces more risk potential, not less. Risk can be mitigated but it relies on a very solid understanding of the behaviour of FM on all levels, not just the security level. Every new and changed FM feature behaviour bears the risk of blasting a hole in the ersatz model.

    That acknowledgment is what I do not find enough in these discussions. There is a long-standing myth that pretty much any ersatz security model is just as secure or even more secure than the native security features. And that is simply not so. As this thread has proven.

    I am on the road right now so I have not had a chance to review your document. Will do so and then return to this thread.

    =================================================================

    November 30, 2015 at 11:04 PM by David Jondreau

    I have some warnings to give, but am not going to post publicly. I'm trying to send a private message, but it's not going through. I'll try again after posting this...

    Taylor, you've made some changes to the server since this afternoon. That's the first step.

    To answer the original challenge:

    The easiest answer is simply to use ExecuteSQL() in the data viewer. Using one statement to grab the table schema, and another to grab all the values. Even with the custom dialog, the data will show up on hover.

    https://community.filemaker.com/servlet/JiveServlet/downloadImage/105-9612- 19278/Screen+Shot+2015-11-30+at+1.51.48+PM.png <image lost>

    =================================================================

    November 30, 2015 at 11:59 PM by Matt Petrowsky

    Wim Decorte said: “if more people acknowledge that scripting your own security solution introduces more risk potential, not less. Risk can be mitigated but it relies on a very solid understanding of the behaviour of FM on all levels, not just the security level. Every new and changed FM feature behaviour bears the risk of blasting a hole in the ersatz model.”

    Exactly my point in providing the information I did in the PDF link. I look forward to your feedback on it!

    =================================================================

    December 1, 2015 at 12:23 AM by Taylor Sharpe

    David Jondreau wrote: “Taylor, you've made some changes to the server since this afternoon. That's the first step.”

    To answer the original challenge:

    The easiest answer is simply to use ExecuteSQL() in the data viewer. Using one statement to grab the table schema, and another to grab all the values. Even with the custom dialog, the data will show up on hover.

    https://community.filemaker.com/servlet/JiveServlet/downloadImage/105-9602- 19267/Screen+Shot+2015-11-30+at+1.51.48+PM.png <image lost>

    The only change I made was with the easy way you can use a TO in another solution to see data in the original solution if you have the same User ID/password and that had already been provided. So all we did was change the File Access security so you can't add a table from another solution without Full Access.

    David... good example of how ExecuteSQL can be used to view things in the data viewer and it does give you access to schema. That lets you read data, but doesn't let you change it and not sure how this would be used to stop the Persistent ID verification. But clearly that is something that in the security world you don't want done.

    I guess this is why Tim Dietrich's system had an intermediary user ID log in for the Persistent ID verification and that User ID had very limited table access and only to verify the Persistent ID and connect with a User and their Email. You would be in the solution as Wim notes, but not at your normal User ID access level. And upon verification, have a re-login with your normal User credentials. And that would be a better solution.

    Thanks for the thoughtful input.

    =================================================================

    December 1, 2015 at 1:03 AM by David Jondreau

    Hmmm...You've made other changes to your server. Not to that file per se...but I'll save that for a private message.

    Point is I can see all the data that user has access to. I can't change it. But I can easily view any data. And that took less than a minute.

    There are other points about how to change data that I'll put in a private message as well.

    2FA003.thumb.png.881563c7ad30da26ec9d424

    =================================================================

    December 1, 2015 at 2:51 AM by David Jondreau

    And here's my entry...

    2FA004.thumb.png.040856ab262c653fc9219bc

    =================================================================

    December 1, 2015 at 9:06 AM by Taylor Sharpe

    Impressive David to see the Persistent ID script hack. I'm more interested in this hack than the File Access one since I already knew about it. But you got through with File Access turned off. Kudos.

    =================================================================

    December 1, 2015 at 9:12 AM by Josh Ormond

    Any time the privilege set allows the user to be able to edit the data, any of the external APIs will allow the user to edit the data.

    Even with this item fixed, the user can still view the data and extract it. The strongest security in FM is FM's own privilege sets. As the conversation with Matt and Wim brings out, there are ways to MOSTLY secure the file. However, one needs to be aware of the risk and then decided through a risk assessment if it's worth it to take on that risk by using an ersatz model.

    It's difficult to claim that an ersatz model "increases" security. Because there are too many variables in a solution to claim that. If it's a workflow you want to include, that's one thing. Touting it as a security model, well, that makes me uneasy.

    =================================================================

    December 1, 2015 at 5:26 PM by Taylor Sharpe

    +1 Josh

    =================================================================

    December 4, 2015 at 12:18 AM by Josh Ormond

    I read a very funny post today. Truth, but funny. http://fmforums.com/topic/98626-password-to-continue-script/#comment-448504

    Here is the part of the post that touched me funny.

    Kris M wrote: “Implementing a security feature using scripts and stored credentials is problematic. Its like whack-a-mole to cover all the potential threat vectors.”

  13. facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

    2015 Women of FileMaker Luncheon

     

    Women of FileMaker Luncheon at DevCon 2015 Las Vegas

     

    The 2015 Women of FileMaker luncheon will be held on Wednesday, July 22nd from noon-2 p.m.  The luncheon will be held in the Nolita Ballroom at the Cosmopolitan Hotel, Las Vegas during DevCon 2015. Please register in advance at the Women of FileMaker website as seating will be limited this year. You may also join the event via our Facebook Group.

    This is a great opportunity to network with other women business owners and developers from around the world. We look forward to seeing you there!

    facebooktwittergoogle_pluslinkedinby feather

    View the full article

  14. I don't blog much - but I wanted to say i really enjoyed my second visit to dotFMP.com in Berlin a few weeks ago ( first week of June). It was a fantastic collection of brilliant talent! and very kindred souls, that I have had the pleasure of visiting.

    The start to the conference in Berlin was the oldest beer garden in east Berlin - and well when in Berlin :wholeyard:

    IMG_5467.thumb.JPG.309101e1e96880ca5da8e IMG_5464.thumb.JPG.22a481c47065c06be8a09

    Was a great way to start a conference. 

    Here is an audio recording of a impromptu podcast I did with Egbert or @pixi the conference organizer.  

     

     
     
    It was a fantastic program and encourage everyone to come next year June 2-4 in 2016  Point you browser to dotfmp.com or on twitter @dotfmp for the latest updates.
     
    IMG_5475.thumb.JPG.7e4bcad2eccca54bde8bdIMG_5490.thumb.JPG.7296ea4c9199adf61b6eaIMG_5496.thumb.JPG.925dd649036f3445f988b
     

     

  15. We just posted a new update of DayBack with a sweet little enhancement to the Resources tab: you can now change the number of resource columns on the fly. This short movie shows how that works and how to download the update into your copy of the calendar.

    If you’re new to DayBack, learn more [...]

    The post New In-App Update for DayBack Calendar appeared first on SeedCode.


  16. Tim Dietrich and I have been experimenting with the FileMaker and the Web recently using Custom Web Publishing. One thing led to another. :)

    FMEasyWeb

    Tim’s been working on FMEasyWeb which makes it crazy easy to put a FileMaker layout on the web. Below you can see what a list layout currently looks like. It generates the layout automatically for list and detail layouts, but detail layouts are just a long column of each field. It works, but it’s not similar to the FileMaker layout. It’s freaking awesome and completely useable for being automatically generated.

    EasyWeb-Alpha-1-List-View

     

    FMEasyWeb with FileMaker Layouts

    We started talking and wished we could get a Custom Web Publishing page to look like a FileMaker Layout. So, I mentioned that we could get the position and size of just about anything on a FileMaker Layout by selecting all the objects on the layout to get the xml representation of the layout.

    So, I copied the xml for the FileMaker Layout shown below with no changes to the xml. You can get an idea what the xml looks like near the bottom of this page. The xml represents the field for the Title below. Just the Title field. If you were to copy the all of the objects on the layout, there would be that much xml multiplied by the number of objects. It looks like a total mess, but it’s very organized. You can get the xml using a FileMaker plugin like Clipboard Explorer or the MBS Plugin. If there are other plugins, I’d like to know, so please leave a comment.

    With that the xml, I created this web page layout. I looped thru each object in the xml and placed it on the layout. There was NO hand coding of anything. Each text and field were added to the webpage in the same position and at the same size. You’ll probably notice that the portal isn’t show on the webpage. That’s next on the list.

    FileMaker Layout

    Just a FileMaker Layout.

    FileMakerLayout

    Web Page Layout

    This is a web page generated from the xml of the FileMaker Layout show above. NO HAND coding was done. A bit of the xml is shown below.

    FileMakerLayoutWeb

     

    FileMaker Layout Field XML

    This is what the xml looks like for the Title Field on layout shown above.

    <?xml version=”1.0″ encoding=”UTF-8″?>

    <fmxmlsnippet type=”LayoutObjectList”>

    <Layout enclosingRectTop =”74.0000000″ enclosingRectLeft =”20.0000000″ enclosingRectBottom =”726.0000000″ enclosingRectRight =”1003.0000000″>

    <Object type=”Field” key=”93″ LabelKey=”94″ flags=”0″ rotation=”0″>

    <Bounds top=”93.0000000″ left=”20.0000000″ bottom=”114.0000000″ right=”273.0000000″/>

    <FieldObj numOfReps=”1″ flags=”32″ inputMode=”0″ keyboardType=”1″ displayType=”0″ quickFind=”1″ pictFormat=”5″>

    <Name>Contacts::Title</Name>

    <ExtendedAttributes fontHeight=”14″ graphicFormat=”5″>

    <NumFormat flags=”2304″ charStyle=”0″ negativeStyle=”0″ currencySymbol=”$” thousandsSep=”44″ decimalPoint=”46″ negativeColor=”#DD000000″ decimalDigits=”2″ trueString=”Yes” falseString=”No”/>

    <DateFormat format=”0″ charStyle=”0″ monthStyle=”0″ dayStyle=”0″ separator=”47″>

    <DateElement>3</DateElement>

    <DateElement>6</DateElement>

    <DateElement>1</DateElement>

    <DateElement>8</DateElement>

    <DateElementSep index=”0″></DateElementSep>

    <DateElementSep index=”1″>, </DateElementSep>

    <DateElementSep index=”2″> </DateElementSep>

    <DateElementSep index=”3″>, </DateElementSep>

    <DateElementSep index=”4″></DateElementSep>

    </DateFormat>

    <TimeFormat flags=”143″ charStyle=”0″ hourStyle=”0″ minsecStyle=”1″ separator=”58″ amString=” AM” pmString=” PM” ampmString=””/>

    <CharacterStyle mask=”32695″>

    <Font-family codeSet=”Roman” fontId=”9″>helvetica neue,sans-serif</Font-family>

    <Font-size>12</Font-size>

    <Face>0</Face>

    <Color>#4D4D4D</Color>

    </CharacterStyle>

    </ExtendedAttributes>

    <Styles>

    <FullCSS>

    self&#10;{&#10;&#09;background-image: none;&#10;&#09;background-position: 0% 0%;&#10;&#09;background-size: auto;&#10;&#09;background-repeat: repeat repeat;&#10;&#09;background-origin: padding-box;&#10;&#09;background-clip: border-box;&#10;&#09;background-color: rgba(99.2157%,98.8235%,94.5098%,1);&#10;&#09;border-top-color: rgba(83.9216%,83.1373%,79.2157%,1);&#10;&#09;border-right-color: rgba(83.9216%,83.1373%,79.2157%,1);&#10;&#09;border-bottom-color: rgba(83.9216%,83.1373%,79.2157%,1);&#10;&#09;border-left-color: rgba(83.9216%,83.1373%,79.2157%,1);&#10;&#09;border-top-style: solid;&#10;&#09;border-right-style: solid;&#10;&#09;border-bottom-style: solid;&#10;&#09;border-left-style: solid;&#10;&#09;border-top-width: 1pt;&#10;&#09;border-right-width: 1pt;&#10;&#09;border-bottom-width: 1pt;&#10;&#09;border-left-width: 1pt;&#10;&#09;border-top-right-radius: 0pt 0pt;&#10;&#09;border-bottom-right-radius: 0pt 0pt;&#10;&#09;border-bottom-left-radius: 0pt 0pt;&#10;&#09;border-top-left-radius: 0pt 0pt;&#10;&#09;border-image-source: none;&#10;&#09;border-image-slice: 100% 100% 100% 100% fill;&#10;&#09;border-image-width: 1 1 1 1;&#10;&#09;border-image-outset: 0 0 0 0;&#10;&#09;border-image-repeat: stretch stretch;&#10;&#09;outline-width: 0pt;&#10;&#09;outline-style: none;&#10;&#09;outline-color: invert;&#10;&#09;outline-offset: 0pt;&#10;&#09;font-family: -fm-font-family(helvetica neue,sans-serif,roman);&#10;&#09;font-weight: normal;&#10;&#09;font-stretch: normal;&#10;&#09;font-style: normal;&#10;&#09;font-variant: normal;&#10;&#09;font-size: 12pt;&#10;&#09;color: rgba(30.1961%,30.1961%,30.1961%,1);&#10;&#09;direction: ltr;&#10;&#09;line-height: 1line;&#10;&#09;block-progression: tb;&#10;&#09;text-align: left;&#10;&#09;text-transform: none;&#10;&#09;text-indent: 0pt;&#10;&#09;display: inline;&#10;&#09;padding-top: 0pt;&#10;&#09;padding-right: 0pt;&#10;&#09;padding-bottom: 0pt;&#10;&#09;padding-left: 0pt;&#10;&#09;margin-top: 0pt;&#10;&#09;margin-right: 0pt;&#10;&#09;margin-bottom: 0pt;&#10;&#09;margin-left: 0pt;&#10;&#09;width: auto;&#10;&#09;height: auto;&#10;&#09;float: none;&#10;&#09;clear: none;&#10;&#09;overflow-x: visible;&#10;&#09;overflow-y: visible;&#10;&#09;overflow-style: auto;&#10;&#09;visibility: visible;&#10;&#09;top: auto;&#10;&#09;right: auto;&#10;&#09;bottom: auto;&#10;&#09;left: auto;&#10;&#09;position: static;&#10;&#09;box-shadow: none;&#10;&#09;box-sizing: content-box;&#10;&#09;vertical-align: baseline;&#10;&#09;-fm-digit-set: roman;&#10;&#09;-fm-space-before: 0line;&#10;&#09;-fm-space-after: 0line;&#10;&#09;-fm-tab-stops: ;&#10;&#09;-fm-strikethrough: false;&#10;&#09;-fm-underline: none;&#10;&#09;-fm-glyph-variant: ;&#10;&#09;-fm-paragraph-margin-left: 0pt;&#10;&#09;-fm-paragraph-margin-right: 0pt;&#10;&#09;-fm-character-direction: ;&#10;&#09;-fm-tab-top-left-radius: 0 0;&#10;&#09;-fm-tab-top-right-radius: 0 0;&#10;&#09;-fm-use-default-appearance: false;&#10;&#09;-fm-icon: none;&#10;&#09;-fm-icon-color: rgba(0%,0%,0%,1);&#10;&#09;-fm-tab-spacing: 0;&#10;&#09;-fm-override-with-classic: false;&#10;&#09;-fm-table-background-color: rgba(0%,0%,0%,0);&#10;&#09;-fm-baseline-shift: 0pt;&#10;&#09;-fm-fill-effect: 0;&#10;&#09;-fm-highlight-color: rgba(0%,0%,0%,0);&#10;&#09;-fm-text-vertical-align: top;&#10;&#09;-fm-tategaki: false;&#10;&#09;-fm-rotation: 0;&#10;&#09;-fm-borders-between-reps: false;&#10;&#09;-fm-borders-baseline: false;&#10;&#09;-fm-texty-field: false;&#10;&#09;-fm-box-shadow-persist: none;&#10;}&#10;self:focus&#10;{&#10;&#09;box-shadow: 0pt 0pt 2pt 1pt rgba(0%,43.9216%,81.1765%,1);&#10;}&#10;self .inner_border&#10;{&#10;&#09;background-image: none;&#10;&#09;background-position: 0% 0%;&#10;&#09;background-size: auto;&#10;&#09;background-repeat: repeat repeat;&#10;&#09;background-origin: padding-box;&#10;&#09;background-clip: border-box;&#10;&#09;background-color: rgba(0%,0%,0%,0);&#10;&#09;border-top-color: rgba(0%,0%,0%,0);&#10;&#09;border-right-color: rgba(0%,0%,0%,0);&#10;&#09;border-bottom-color: rgba(0%,0%,0%,0);&#10;&#09;border-left-color: rgba(0%,0%,0%,0);&#10;&#09;border-top-style: none;&#10;&#09;border-right-style: none;&#10;&#09;border-bottom-style: none;&#10;&#09;border-left-style: none;&#10;&#09;border-top-width: 0pt;&#10;&#09;border-right-width: 0pt;&#10;&#09;border-bottom-width: 0pt;&#10;&#09;border-left-width: 0pt;&#10;&#09;border-top-right-radius: 0pt 0pt;&#10;&#09;border-bottom-right-radius: 0pt 0pt;&#10;&#09;border-bottom-left-radius: 0pt 0pt;&#10;&#09;border-top-left-radius: 0pt 0pt;&#10;&#09;border-image-source: none;&#10;&#09;border-image-slice: 100% 100% 100% 100% fill;&#10;&#09;border-image-width: 1 1 1 1;&#10;&#09;border-image-outset: 0 0 0 0;&#10;&#09;border-image-repeat: stretch stretch;&#10;&#09;outline-width: 0pt;&#10;&#09;outline-style: none;&#10;&#09;outline-color: invert;&#10;&#09;outline-offset: 0pt;&#10;&#09;font-family: -fm-font-family(Helvetica,roman);&#10;&#09;font-weight: normal;&#10;&#09;font-stretch: normal;&#10;&#09;font-style: normal;&#10;&#09;font-variant: normal;&#10;&#09;font-size: 12pt;&#10;&#09;color: rgba(0%,0%,0%,1);&#10;&#09;direction: ltr;&#10;&#09;line-height: 1line;&#10;&#09;block-progression: tb;&#10;&#09;text-align: left;&#10;&#09;text-transform: none;&#10;&#09;text-indent: 0pt;&#10;&#09;display: inline;&#10;&#09;padding-top: 0pt;&#10;&#09;padding-right: 0pt;&#10;&#09;padding-bottom: 0pt;&#10;&#09;padding-left: 0pt;&#10;&#09;margin-top: 0pt;&#10;&#09;margin-right: 0pt;&#10;&#09;margin-bottom: 0pt;&#10;&#09;margin-left: 0pt;&#10;&#09;width: auto;&#10;&#09;height: auto;&#10;&#09;float: none;&#10;&#09;clear: none;&#10;&#09;overflow-x: visible;&#10;&#09;overflow-y: visible;&#10;&#09;overflow-style: auto;&#10;&#09;visibility: visible;&#10;&#09;top: auto;&#10;&#09;right: auto;&#10;&#09;bottom: auto;&#10;&#09;left: auto;&#10;&#09;position: static;&#10;&#09;box-shadow: none;&#10;&#09;box-sizing: content-box;&#10;&#09;vertical-align: baseline;&#10;&#09;-fm-digit-set: roman;&#10;&#09;-fm-space-before: 0line;&#10;&#09;-fm-space-after: 0line;&#10;&#09;-fm-tab-stops: ;&#10;&#09;-fm-strikethrough: false;&#10;&#09;-fm-underline: none;&#10;&#09;-fm-glyph-variant: ;&#10;&#09;-fm-paragraph-margin-left: 0pt;&#10;&#09;-fm-paragraph-margin-right: 0pt;&#10;&#09;-fm-character-direction: ;&#10;&#09;-fm-tab-top-left-radius: 0 0;&#10;&#09;-fm-tab-top-right-radius: 0 0;&#10;&#09;-fm-use-default-appearance: false;&#10;&#09;-fm-icon: none;&#10;&#09;-fm-icon-color: rgba(0%,0%,0%,1);&#10;&#09;-fm-tab-spacing: 0;&#10;&#09;-fm-override-with-classic: false;&#10;&#09;-fm-table-background-color: rgba(0%,0%,0%,0);&#10;&#09;-fm-baseline-shift: 0pt;&#10;&#09;-fm-fill-effect: 0;&#10;&#09;-fm-highlight-color: rgba(0%,0%,0%,0);&#10;&#09;-fm-text-vertical-align: top;&#10;&#09;-fm-tategaki: false;&#10;&#09;-fm-rotation: 0;&#10;&#09;-fm-borders-between-reps: false;&#10;&#09;-fm-borders-baseline: false;&#10;&#09;-fm-texty-field: false;&#10;&#09;-fm-box-shadow-persist: none;&#10;}&#10;self:droptarget .inner_border&#10;{&#10;&#09;box-shadow: inset 0pt 0pt 2pt 1pt rgba(0%,43.9216%,81.1765%,1);&#10;}&#10;self .text&#10;{&#10;&#09;margin-top: 0.25em;&#10;&#09;margin-right: 0.5em;&#10;&#09;margin-bottom: 0.17em;&#10;&#09;margin-left: 0.5em;&#10;&#09;height: auto;&#10;&#09;top: 0pt;&#10;&#09;right: 0pt;&#10;&#09;bottom: 0pt;&#10;&#09;left: 0pt;&#10;&#09;position: absolute;&#10;&#09;box-sizing: border-box;&#10;}&#10;self .baseline&#10;{&#10;&#09;border-bottom-width: 1pt;&#10;}&#10;</FullCSS>

    <ThemeName>com.filemaker.theme.tranquil</ThemeName></Styles>

    <DDRInfo>

    <Field name=”Title” id=”2″ repetition=”1″ maxRepetition=”1″ table=”Contacts”/>

    </DDRInfo>

    </FieldObj>

    </Object></Layout></fmxmlsnippet>



    Source

  17. Worlds Most Popular FREE FileMaker Solution Gets Major Update!

    FM Starting Point 4.2 available today, now has full integrated support for barcode printing and scanning.   From searching for Contacts via barcode to adding line items to Invoices and Estimates, FMSP has you covered.

    We have partnered up with Geist Interactive (developer of Barcode Creator) to make this a reality. Currently, you can scan any barcode into FMSP and do a search or add line items but with Barcode Creator you have the power to generate and print barcodes on Invoices, Products, Labels, etc.

    While FMSP continues to be free, and offers scanning of barcode, user who want to create and print their own barcodes will want to make a one time purchase of Todd Geist’s award winning Barcode creating software for $199. This is of course optional, but FMSP is wired and ready to accept the BarCode Creator software as soon as you purchase it.  A short video is available to show you how to install it.

    We are excited to release this useful tool for your business needs. You can download FM Starting Point here (www.fmstartingpoint.com) for free. Please contact us with any questions you may have.

    RCC Development Team

    www.rcconsulting.com

    Source

  18. On 3rd December 2013 at SANTA CLARA, California Filemaker Inc. unveiled the next-generation platform for business productivity: FileMaker 13. The new software makes it even faster and easier than ever for teams to create gorgeous, tailored business solutions for iPad, iPhone, Windows, Mac and the web that deliver significant productivity gains. This is a superb version of Filemaker till date which includes more than 50 additional features.

    - New design features make it faster and easier to consistently create great-looking databases.

    - New features for iOS make it faster to create solutions and easier to enter data on iPad and iPhone.

    - New development features help you create more useful solutions more efficiently than ever.

    - New security features ensure your organization's data is more secured.

    - Faster database operation.

    - Get support to inserting multimedia like sound, videos into container fields.

    There are lots of additional features included in different sections which are described below section-wise:

    DESIGNING FEATURES

    • Advanced Layout Management

    Layout design enhancements: Redesigned New Layout/Report assistant Create layouts and reports that are optimized for the devices they'll be used on, with predefined screen dimensions, views, and themes for viewing on computer, iPhone, and iPad screens, or for printing in a variety of formats.

    Undo/Redo Changes: Undo and redo changes to layouts even after you've saved the layout or previewed the layout in Browse mode.

    - Page Breaks Control: Show or hide page breaks in Layout mode.

    Theme

    Enhanced options for managing styles and themes – Apply formatting styles to layout objects, parts, and backgrounds to promote a consistent look throughout your solutions. To manage theme FileMaker 13 provides options to create new theme, import theme from other files and save themes.

    • Advanced Layout Objects

    In FileMaker 13 there are 2 advanced layout objects added e.g. Popover and Slide Controls.

    Popover: Create popovers to allow you to work with fields and other objects without having to move to another layout/window. To know more about Popover take a look on following video.

    http://www.youtube.com/watch?v=I4_Om6T8eOw&feature=youtu.be

    Slide Control: Create multi-panel slide controls to allow you to group objects in separate slide panels. To know more about Slide Control take a look on following video:

    http://www.youtube.com/watch?v=zwCq---9oZA&feature=youtu.be

    • Object Styling

    To add different style to layout objects in FileMaker13 there are many styling features added as below:

    Control object visibility: Hide or show layout objects by indicating whether an object is hidden or displayed depending on a specific condition or calculation.

    Field Picker: Using the Field Picker dialog box drag the fields to the layout.

    Object type selection: Use the drop-down list in the Appearance tab of the Inspector to select and style objects with multiple parts (such as portals or slide controls).

    Shadows and padding: Apply shadows and padding to objects in the new Advanced Graphic area of the Inspector.

    Improved object moving and resizing: Duplicating objects with “snap-to”,Resizing multiple objects and Dynamic guides etc.

    Dynamic Naming to Tab Object: Can give tab name by providing a calculation.

    BUILD IN FUNCTIONS

    New Functions: There are lots of new build-in-functions added in FileMaker13 such as following:

    Base64Decode

    Base64Encode

    Get(ConnectionAttributes)

    GetContainerAttribute

    Get(CurrentTimeUTCMilliseconds)

    Get(Device)

    Get(EncryptionState)

    Get(NetworkType)

    Get(ScriptAnimationState)

    Get(TriggerGestureInfo)

    Get(WindowOrientation)

    Changed Functions: Few existing functions have been modified in FileMaker13 they are as following-

    GetLayoutObjectAttribute() ["isFrontTabPanel" attribute changed to isFrontPanel and a new attribute added "isObjectHidden" ]

    Get( TriggerCurrentTabPanel ) changed to Get( TriggerCurrentPanel )

    Get( TriggerTargetTabPanel ) changed to Get(TriggerTargetPanel)

    SCRIPTING

    To make better scripting in FileMaker13 there are many enhancement done to the script editor as there is new option for check compatibility to Macintosh and Windows platform.

    Few script steps enhanced for better usability as follows:

    - Improvement to 'Show Custom Dialog': You can create a button label based on a calculation.

    - Execute SQL script step compatibility: Compatible with FileMaker Server, WebDirect and CWP

    • New script steps

    Few new script steps have been added in FileMaker13 they are:

    Insert From Device

    Open Manage Themes

    Perform Script On Server

    Refresh Object

    Set Script Animation

    Upload To FileMaker Server

    • Script triggers

    There are few new script triggers added they are:

    OnGestureTap – Triggers a script to run when a tap gesture is received on a layout in FileMaker Go.

    OnLayoutSizeChange – Triggers a script to run after a layout or window has changed size as a result of the following:

    In FileMaker Go: Rotating the iOS device, hiding or showing the status toolbar, or when a window is first opened.

    OR In FileMaker Pro and FileMaker WebDirect: Changing the size of a layout or window by user interaction, by script step, by hiding or showing the status toolbar or formatting bar via menu command, shortcut, or script step, or when a window is first opened.

    1 script trigger has been changed that is:

    OnTabSwitch is now OnPanelSwitch.

    DATABASE SHARING/HOSTING

    There are 2 ways to host the FileMaker database files first through Filemaker Server by upload files to FileMaker Server and another 1 is WebDirect which is a new and prominent feature in FileMaker13.

    • Webdirect

    By using FileMaker WebDirect technology user can access layouts from FileMaker Pro databases in a web browser.

    With FileMaker WebDirect, you don’t need to use coding tools such as PHP, HTML5, CSS or JavaScript to create robust solutions for the web. For FileMaker Webdirect files should be hosted by FileMaker Server. This can provides users:

    - Desktop style interaction: Use themes, styles, charts, menus, and more. Even drag and drop files into container fields.

    - Live updates: Get instant access to changes in your data or solution no need to refresh your browser.

    - Automated processes: Enable scripts, calculations and conditional formatting to validate data and streamline work flow.

    If the IP of the hosted FileMaker server is 192.168.14.123 then the URL to open the WebDirect on browser will be: https://192.168.14.123/fmi/webd

    SECURITY ENHANCEMENT

    Database Encryption feature has been included in FileMaker13 to Encrypt database files to protect them from unauthorized access while the files are being stored on disk, by requiring all database clients to open encrypted database files with an encryption password.

    You can encrypt database files by using the Database Encryption feature of FileMaker Pro Advanced. Encryption protects FileMaker database files from unauthorized access while the files are being stored on disk. Temporary files that are created by encrypted files are also encrypted. You create an encryption password for the file, which protects the data if the file is copied or stolen. Users who do not enter the encryption password are not allowed access to the file. Encrypted files can be decrypted as needed.

    Features not available in Filemaker 13

    - Instant Web Publishing (IWP): FileMaker Pro no longer hosts database files via Instant Web Publishing.

    - Exporting and saving records in Excel .xls format – FileMaker 13 no longer supports exporting or saving records in Excel 95-2004 Workbook (.xls) format.

    - Support for inserting sound into container fields – Menu commands that support recording sound into container fields have been removed from FileMaker13 Pro.

    To view the PPT presentation of this topic visit following link:

    http://www.slideshare.net/MindfireSolutions/addon-features-filemaker-13

    With best regards,

    Manjit

  19. 1) To create an iOS friendly layout for FMGo, the best practice is to minimize the amount of horizontal and vertical scrolling required to interact on your layout. To achieve the same, we should make a single layout for iPhone having size 320W X 255H and for iPad having size 768W X 673H (instead of making two layouts one for landscape and one for portrait) along with proper anchor locks which will stretch it properly to fit for both the landscape and portrait mode view.

    2) We also need to take care of the proper anchor locks for the objects(fields,graphic, webviewer etc) placed on the layout so that the objects showing correctly in one view would not overlap with each other on the other view. The other benefit of this size layout is that we will not have to scroll in either direction to view all of the objects.

    3) Sometimes, we need to make the layout big enough to hold all the objects, in this case we have to design the layout smartly we can make use of the side a block method to make the layout work both horizontally and vertically. We can even make use of tabs to place tab related objects on it thus limiting the layout to above size.Please have a look on to the below link to get a better idea of the side a block method:

    http://www.infografix.biz/?p=188

    4) Locking the zoom level is helpful on a list view to prevent horizontal scrolling and can be done by using “Set Zoom Level[Lock;100%]” step in the navigating script of the layout for that file. However a possible best practice would be to defer zoom levels to the user rather than setting them by script.

    5) Make sure the size of button and the space between them are adequate so as user doesn’t accidentally click the button near the one that he is intended to click.

    6) Make sure the size of the text are large enough to interact with the database from the iPhone and iPad.

    7) Don’t forget to make your list views 4pt narrower so as to accommodate the indicator for the active record. Some other factors to take into consideration while designing the layout are:

    FMGO ITEM INFORMATION

    Toolbar 44 points high in Portrait mode on the iPhone / iPad

    Toolbar 44 points high in Landscape mode on the iPad

    Toolbar 34 points high in Landscape mode on the iPhone

    Status Bar 20 points high in Portrait mode on the iPhone / iPad

    Status Bar 20 points high in Landscape on the iPad

    8) Sometimes, field height do restrict the bottom of character on iPad and iPhone such as “g”, “p” etc, we should take care of the same by increasing field height or doing the correct alignment for top, bottom or middle for that field.

    9) “Allow User Abort[Off]” step should be set appropriately for the application so as to avoid users to interrupt scripts by double-tapping a scripted UI element. This lets user unintentionally stop scripts from executing, potentially interrupting

    data processing scripts and potentially introducing data corruption.

    10) We should use small images or native FileMaker contents to make the navigation to the layouts faster, we can even use the hidden tab control feature to hide objects contributing towards loading time for the layouts, and show them with the

    click of a button when the user is intended to do so. Please have a look on to the below link to have better idea of the same:

    http://www.teamdf.com/weetbicks/tab-controls-overlay-menus-revealing-filemaker12/151/

    11) Make use of a webviewer instead of field to make the content non-editable and scrollable in FileMaker Go. Please have a look on to the below link to have better idea of the same:

    http://www.supportgroup.com/explore/using-the-web-viewer-as-a-field-in-filemaker-go/

    12) Finally it is always the best practice to test the layout for each aspect on the iPad and iPhone itself while doing the design.

    Surya Kanta Mekap

    Software Developer, Mindfire Solutions, India

    http://www.mindfiresolutions.com

    email:suryam@mindfiresolutions.com

    Skype: mfsi_suryam

  20. One apparent limitation of using ExSQL() in the separation model is that you can’t use unrelated tables in a field definition. So you’d need to related all your tables to one another.

    I just discovered that you can bypass that limitation simply by wrapping your statement in a Let() and declaring a variable that includes wrapping a field in the GetFieldName() function.

    So the expression:
    Let( field = unrelated::table ; field )
    returns an error.

    However,
    Let( gfn = GetFieldName ( unrelated::table ) ; field = unrelated::table ; field )
    does not.

    It doesn’t even have to be a field from an unrelated table. Interesting and hopefully helpful.


    View the full article

  21. How I got a list with data from MySQL in less than 1 second with a SQL VIEW - from an awful 20-25 seconds when going through relationships between multiple tables from the MySQL database.

    My Filemaker solution is integrated with a MySQL database that has been highly normalized for different reasons.

    This means that a simple list with 4 different fields can easily contain info from 4 different tables, where a couple of the relationships might span 3 tables. This made the performance in FM really awful. In my case, this easily meant 20-25 seconds to pull out a list of 50-60 records from a total of 3000 records in the parental table.

    Not really acceptable, and I had to find a solution to it.

    These were the solutions I considered:

    1.

    Update a shadow table in FileMaker each time the list was to be made, and perform the find on the shadow table. The shadow table would mainly contain the info the list needed, pulled from all the different MySQL tables.

    But I wasn't sure about the performance, and I was afraid of not managing to get it implemented in all the scripts different places.

    2.

    Make a Execute SQL query, parse the data and add it to the correct fields with loops, but this meant a lot of scripting in different places, and it got really complicated getting the right info into the right fields each time.

    3.

    I also considered making some new relationships in FM, in the Anchor-Buoy style, but cluttering up my relationship graphs with even more things (it already contains more than 60 unique tables + some "duplicate" TOs), and probably only gain a little bit performance wise, really didn't seem too tempting.

    4.

    Then I read about MySQL views. This can be looked upon as a saved SQL query, making it easy to get info from different tables into one view, filtered and sorted. I suppose it can also be likened a bit to a FM layout with a search and sort performed at entering the layout.

    In the MySQL community, these views seem to be frown upon, and performance can apparently be really awful if a view is based on an other view.

    But for Filemaker, MySQL views mean that the processing is already being taken care of in the MySQL server, so that FM does not have to get all the info from all the external tables, process through a bunch of relationships and then spit out the wanted result.

    (Without really knowing how FM communicates with SQL databases, that means that views might also be a good idea to use if you only use a few fields in a table, especially if the table also contains big comment fields or the like. But I haven't really checked it out).

    In my case, where all I needed was 4 fields from 4 different tables, but actually spanning a total of 6 tables (two intermediary tables as well), making a SQL VIEW seemed promising.

    First, I needed to go into Manage External Data Sources, Edit Data Source, and check Filter by types "Views" by the bottom.

    This means that views will be listed in the same way as a table from the SQL database.

    In FIlemaker, I have made myself a sSQL table, where each new record has a field for a SQL statement with a comment field, a name field and a Excecute OK timestamp field attached. Plus buttons for the Execute SQl script and duplicate record on the layout.

    (And a second SQL statement field, result field and Excecute button for SELECTing the result, or SELECT count(t.uniqueField) FROM viewName, to easily see the result).

    This way, I could fiddle around with different VIEW statements until I got it right.

    The main statement is

    CREATE VIEW viewName AS

    SELECT

    ...

    (And ALTER VIEW to make changes to the same view.)

    The main thing to know, is that a view does not ahve any indexes itself. In native Filemaker tables, each record has a hidden unique key. In external ones, Filemaker thus needs you to specify a field, or a combination of fields, that will contain unique values for each record.

    In my case, the following statement worked:

    SELECT

    ....

    FROM tableWithUniqueRecords t

    LEFT JOIN ... AND language_ID=y

    While a where statement did not do the trick, returning a different number of records:

    LEFT JOIN ...

    WHERE language_ID=y

    There are many different JOINs, so make sure you get the right one for your solution.

    In my database, there were some orphans here and there, both form my early stages of making a FM interface, and from an other program we had bought, that had contained some faulty SQL statements.

    I thus had to spend quite a lot of time washing my data, but that was probably needed anyways.

    For one of my views, I only needed to get one result from the child table. Just like when it might sometimes be OK to put a field from a child table on a parent layout instead of inside a portal, only showing one of the children.

    For the views where this is necessary, all you have to do is to add the folowing statement to the bottom of the SQL statement:

    GROUP BY t.unique_id

    Then you ensure that the view will only have unique parent records.

    I am sure many real developers already know about this, and hopefully have some more information on it.

    But I didn't really find anything, and it just saved me so incredibly much development time.

    Plus whooped my performance:

    Finding a list with 50-60 records (from a total of about 3000 parental records) in the old way, took a whooping 20-25 seconds.

    Changing the layout source and the fields on the layout to reflect the new ViewName table occurrence took me about 1 minute to change. Finding the list with 50-60 records now takes less than 1 second - or only 1/20 the time it used to!!!

    So the performance in my solution really skyrocketed with the addition of a few views to the SQL database.

    I would be really interested in getting some performance info on different types of views from real developers with big test databases and testing kits, but my main reason for writing this post, is to hopefully help someone else struggling with the same problems that I did.

  22. We're seeking help from you, the FileMaker community, to bring our FileMaker Go solution, GoBillit, to market. You can support us on Indiegogo at http://www.indiegogo.com/gobillit! Every contribution is greatly appreciated.

    We've also created a group on LinkedIn for FileMaker Go developers to come together, learn from each other, and work towards better mobile solutions. Check it out at http://www.linkedin.com/groups/Filemaker-Go-12-4575157?trk=myg_ugrp_ovr. Feel free to join!

  23. FileMaker 12 and SuperContainer: A comparison

    Of all of the new features in the recently released FileMaker 12, one of the most significant is the inclusion of enhanced container fields with managed storage. These enhanced container fields offer users a simple solution to store container assets outside of the database file in order to avoid increasing the size of the database file itself.

    Solving this issue was the driving force behind the development of 360Works' SuperContainer, a server application that leverages FileMaker's Web Viewer to manage digital assets from your FileMaker interface.

    In this article we'll compare the unique features of both FileMaker Enhanced Container Fields and SuperContainer so that you can make an informed decision for your solution.

    FileMaker and SuperContainer BOTH offer

    Small files sizes- Both FM 12 and SuperContainer allow you to manage assets without increasing the size of your FileMaker file. This ensures that your file is still fast, clean, and portable.

    Thumbnail generation- Both FileMaker 12 and SuperContainer can generate network-efficient thumbnails. This means that for image files, the container fields will generate a thumbnail of the image, while interactive files, like .mp3 or .mov, have the option of immediate streaming playback. This can help to optimize database speed as the images and files are progressively streamed to users from the server, rather than waiting for the entire file to download. Note that when using SSL encryption, only SuperContainer supports streaming - FileMaker Server does not. Also note that for thumbnail generation of PDF files, SuperContainer must be deployed on a Mac OS X sever.

    Interactive content- Both FileMaker 12 and SuperContainer can store static and interactive media, allowing you to read through the pages of a PDF document, playback audio or video files, or view thumbnails of image files - all from within the container field.

    Easily move, copy, or upload existing files- Both FileMaker 12 and SuperContainer allow users to easily manage their assets, giving the ability to move files to new directories, copy files to new locations, and easily upload existing container field contents.

    User interface control- FileMaker 12 and SuperContainer both give you control over the look and feel of your layout objects, including displaying titles, metadata, playback functions, upload, download, or delete functions, and thumbnail size.

    Drag and drop- FileMaker 12 and SuperContainer both allow users to drag and drop files into fields

    FileMaker 12 Unique Features

    Encrypted File Storage- FileMaker's enhanced containers offer enhanced security settings for assets stored externally using the Secure Storage option. This encrypts files (AES-128) to be readable only by FileMaker Pro and distributes the files across numerous subdirectories within your base directory. SuperContainer only offers encryption during transfer, not in a stored state.

    Upload from FileMaker Go- While both FileMaker 12 and SuperContainer work well for read-only mode in FileMaker Go, only FileMaker 12 container fields support uploading from the camera or photo library in FileMaker Go.

    Single user support- FileMaker 12 runs well in single user mode. SuperContainer requires the application to be installed and running on a server computer.

    SuperContainer Unique Features

    Store files anywhere- SuperContainer allows you to easily set a base directory where your files will be stored. This can be located anywhere on the computer where SuperContainer is running, or even on a network storage volume. FileMaker Server 12 always stores files inside the FileMaker Server data directory (FileMaker Pro, not running in Server, allows you to set any base directory).

    Deploy on any computer- SuperContainer can be deployed either on the same computer as FileMaker Server, or on a separate dedicated storage server. With FileMaker 12, all files must be stored on the same computer as FileMaker Server.

    Web File Uploads- SuperContainer allows users to easily upload files from their web browser, either by clicking an 'upload' button or by dragging and dropping files into their web browser. FileMaker 12 container fields are read-only on the web.

    Encryption during transmission- SuperContainer offers SSL encryption when transferring files. FileMaker can optionally SSL encrypt while transferring files, but that requires all database content to also be SSL encrypted, and causes streaming support to be disabled.

    Browser access- SuperContainer supports access to content from the web, independent of FileMaker web publishing. Since SuperContainer paths are just URLs, users can easily view assets in a web browser, and it is easy to use them in any web site. SuperContainer URLs can also be emailed and transferred separately from FileMaker record data.

    PHP or Java compatibility- Only SuperContainer offers PHP and Java APIs for easy integration with non-FileMaker systems.

    Compatible with legacy systems- SuperContainer is compatible with FileMaker 8.5 - 11. Meanwhile, enhanced containers are only available in FileMaker 12, and advanced features like streaming audio and video files requires FileMaker Server 12.

    SuperContainer is available for purchase at

    360works.com/supercontainer. The Workgroup License ($195) includes a single server deployment for up to 10 users, while the Enterprise License ($695) allows a single server deployment and unlimited users plus support for FileMaker Server scheduled scripts and web publishing.

    About 360Works

    Located in metro Atlanta, 360Works, a FileMaker Platinum Business Alliance member, has been providing FileMaker-based solutions for 15 years. The company is a leading developer of both shrink-wrapped and custom database design solutions for clients such as NASA, Pixar, US Marines, Make-A-Wish foundation and others. The company is credited for its forward-thinking solutions, dedication and unparalleled client service.

    The Staff, 360Works

    plugins@360Works.com

    (866) 662-9185

  24. Last September I wrote an article about a custom function that I optimized to evaluate hundreds times faster. At the end of the article, I challenged my readers and myself by claiming that the already optimized custom function can be optimized even further. Do you remember?

    Later on I actually really optimized it again, and talked about this optimization during my session at Pause On Error [x] London 2011. Now you can watch the video of this part of my session below:

    Read more and download my updated sample file at honza.24uSoftware.com.

  25. Throughout the process of developing a solution, testing each aspect of your file is vital. For me, the problem I always used to run into, was generating enough sample data to properly test my scripts, calculations and performance. Well, that was until I found Fake Name Generator.

  • Recently Browsing   0 members

    No registered users viewing this page.