Am I correct that there is no way to do a -edit URL or Form without including the -RECID for the record you are editing?

If this is the case, considering that the recid is a serial number that developers have no control over, isn't it extremely easy to hack a URL and find data for other users?

As far as I know, you're right about the -recid being required for -edit but I'm not so certain about the ease of hacking a URL...

(2 minutes later...)

OMG!!! It was easier than I thought... I changed a record's data right through the URL! Of course, I tested it on an unprotected db we're still developing so there's no AP or WSD, but I was till shocked at how easy it was. Ironically, I'm going to use this trick for quick-editing data remotely until we finish the project and initate security. Thanx for the tip/warning/new tool.

The RecID is a very slippery number: it is not quite a serial number in that the series of numbers that FMP uses is not continuous -- there is a big break in the middle of the sequence of numbers.

Use protected chromeless HTML pages by forced frames and no one will be able to fiddle easily with URL