Two problems: open/close and securing web portal

[dant]

Here is the situation:

- FM Pro 5 Server is hosting a database (we'll call it "database.fp5") that is being used for an online/internet survey.

- The survey is posted online via HTML pages which are using forms and CDML to add/update records in the database.

- The database is also made visible in "Instant Web Portal" (this so that the admins can remotely view the database).

- I have TWO problems that have arisen from this project.

PROBLEM 1:

I placed the database and the HTML files inside a project-specific folder within FileMaker Pro's "Web" folder. So, for example, the DB and files were placed within "/FMPro/Web/survey". The problem with this set up occurred when I attempted to remotely open and close the database using the following commands in the browser location/address field:

http://111.111.111.111/FMRes/FMPro?-DB=survey/database.fp5&-Format=dbclose.htm&-dbclose

http://111.111.111.111/FMRes/FMPro?-DB=survey/database.fp5&-Format=dbopen.htm&-dbopen

I was able to initially OPEN the database, but when I attempted to close the database I received a message stating that the database was not open (huh?). I also attempted to delete and overwrite the database using FTP, but I received a message stating that a process was running and so the deletion/revision could not be made (makes sense since the database was open and running).

In order to make it so that I could open and close the database I ended up having to move the database.fp5 file out of the "survey" folder and bring it up into the "Web" folder. Once I did this I was able to edit my remote commands ("-DB=survey/database.fp5" changed to "-DB=database.fp5"), and open and close the database with no further problems.

Although this solved my immediate problem, I'd really prefer to be able to do the opening and closing of the database with the database file (or files in the case of a relational database) located inside of a job-specific folder (the way I originally had things set up). Can anyone suggest a way to accomplish this?

PROBLEM 2:

I realized that there was a major security risk posed by having the database visible in Instant Web Portal. However, I needed to allow several admin types to be able to view the database remotely while the survey was running. I attempted to look for ways to password protect the Instant Web Portal, but I could not come up with a way within FileMaker to BOTH secure the IWP AND to allow visitors to the web site to take the survey without having to input a password.

I thought about trying to apply some sort of Perl "password" script to control access to the IWP page itself, but I was unable to get the system admins to follow through on this and in the end I just shut down the portal and (once a week) downloaded a copy of the database to check the survey's progress. Is there a simple way around this problem, or is the way that I set this project up fundamentally in need of overhaul?

Any advice with either or both of these problems would be greatly appreciated. I'm hoping to learn a little something here, so that my next survey will run more efficiently and be more secure. Thanks in advance.

[Vaughan]

To manage web user access, use the Web Security databases and configure Wb Companion to use Web Security for access control. Always have a password puilt into the database useing FMP's Access Privileges.

Regarding location of the files themelves, be aware that ANY files located in the web folder can be downloaded through web browsers simply by specifying the url and file name. DO NOT put your databases in the web folder.

Read FileMaker's white paper on web security

http://www.filemaker.com/downloads/index.html

[dant]

Thank you for pointing me in the right direction.