Using FMP online

[Tom England]

This is a very generic query. We have been using FMP for about 12-18 months and are successfully using FMP over our company network. We are now looking at allowing access to some of our data over internet.

I am now wondering if FMP is an appropriate piece of software to perform what we are looking for. I want our clients to be able to log on and see their (and theirs only) individual record. It needs to be secure and would hold a few thousand records with any number of people wanting to gain access to their record at any time.

Obviously, I understand that this in itself is a massive topic, but initially I just want to know if it is feasible to use FMP to perform such a task.

Thanks

[Anatoli]

It can be done with CDML -- custom web publishing.

But to talk about "web", "secure" and "FileMaker" doesn't ad up.

There are several security holes in FM for which workaround and programs do exists.

[Garry Claridge]

It is feasible. However, you should download, and read, the FM Security document from the Filemaker site.

Have a good look at the 'Web Security' database.

Good Luck.

Garry

[Keith M. Davie]

Regarding web security, you may want to spend the time reading The Security Thread:

http://www.fmforums.com/threads/showthreaded.php?Cat=&Board=UBB21&Number=19032&Search=true&Forum=UBB21&Words=chazboi&Match=Username&Searchpage=0&Limit=25&Old=1year&Main=19032

[Anatoli]

Somehow the URL doesn't work

[Keith M. Davie]

Thanks Anatoli, the link is the one for the old forum format. The thread is Security Loophole, started by Chazboi.

The new link seems to be (since I just searched and got it)

http://www.fmforums.com/threads/showflat.php?Cat=&Board=UBB21&Number=19032&Forum=All_Forums&Words=chazboi&Match=Username&Searchpage=0&Limit=25&Old=allposts&Main=19032&Search=true#Post19032

[Jeff Spall]

Hi, can I suggest here that a "secure" (by web standards!) method would be with Webserver/WSC (or Lasoo) on a Firewall DMZ for public access and the database server inside the firewall on the local network. Open a route to the database server for only the webserver IP address.

In your format pages, only accept calls from the correct referring page and maybe use a nice secure method like server-side includes to deliver them.

You'll still have to address the issues of the kind of password verification you need for data security. If you're happy with the security, FileMaker can do just about any database serving you want

[Anatoli]

It will be secured with Lasso (until Chazboi or someone else crack it) but not secure at all with WC and/or WSC.

Until you can match every user with "exact" matches in Security Databases, which is not practical or possible at all, databases are easily "hackable".

The protection should exist at syntax level -- our solution of Security Filter or syntax programmable firewall.

[Garry Claridge]

Jeff said:

"I suggest here that a "secure" (by web standards!) method would be with Webserver/WSC"

This is where I suggest using Apache/PHP and the "readfile()" function. Apache/PHP comes with OS X.

All the best.

Garry

[Anatoli]

I wish I know something of that.

I am still busy with new system and it will be 6 months from now when I will have 1 hour to go to peek at PHP.

Anyway, are you suggesting doing pages in PHP driven by FileMaker?

[Garry Claridge]

Anatoli said:

"are you suggesting doing pages in PHP driven by FileMaker?"

It is one way of adding extra security to FM. I am talking about using CDML/PHP, not ODBC.

Garry

[Anatoli]

ODBC is dirty word