protecting admin files

[FMPDennis]

Hi there FMPs!

Ive got a question about protecting my admin files of my Website. I want to use the CDML_FORMAT_FILES folder for this but dont know exactly how to do this.

This is my structure:

-WEBROOT

index.html

-ADMIN

Login.html

-In my CDML_FORMAT_FILES folder there are my admin files:

Loggedin.html

list.html

etc

my login.html file contains the following tags:

<form action="FMPro" method="post" name="loginform">

<input type="hidden" name="-DB" value="database.fp5">

<input type="hidden" name="-format" value="logedin.html">

<input type="hidden" name="-Type" value="user">

So i want the admin to login in the ADMIN/login.html page and after login in he's going to the protected CDML_FORMAT_FILES folder so people cant hack my login.html file (by source).

But this doesnt work (FORMAT FILE NOT FOUND), can somebody help me with this one?

tnx!

Dennis

(yes i use version 6.0)

[Leb i Sol]

<input type="hidden" name="-format" value="logedin.html">

I think <.....value="/ADMIN/logedin.html">... is the part where you need to "find" the page....

I am also new to all this CDML_FORMAT_FILES concept

[Steve T.]

Hi, FMPDennis!

I don't have FMP6 so don't know much about the cdml_format_files folder other than wishing I had it. Still, if it's a NOT FOUND issue, it could be your paths. If Leb i Sol's answer doesn't work, maybe you should try

<INPUT TYPE="hidden" NAME="-format" VALUE="cdml_format_files/Loggedin.html>

Excuse my ignorance, but if ADMIN is yet another folder and it contains Login.html, shouldn't it be in the cdml_format_files folder also? Or is there some ADMIN=cdml_format_files thing I don't know about?

Hope this helps.

-- ST

[Unable]

<input type="hidden" name="-format" value="admin/logedin.html">

[Leb i Sol]

Hello all!

I am also new to this CDML_FORMAT_FILES thing....

Can some one explain it...in plain engl. ( I did read the PDF that came with FM6)

>Located at the root level of the FileMaker Pro folder, the cdml_format_files folder provides a way to protect your format files (files that are specified using the -format parameter) when publishing databases using Custom Web Publishing.

Unlike the FileMaker Pro Web folder, the cdml_format_files folder cannot be accessed directly by the FileMaker Pro HTTP server. Instead, the Web Companion searches this folder for CDML format files during CGI requests.<

What I understood is that if I have a "-format" on my page I should place it the CDML_ folder but EVERY..or almost EVERY page including login page has it?:!! and yet they can not be accessed?:

Anyone with some more info on this ?

If I have index.html (in web folder) and I link it to Login.html...?

Login.html has obviosly the "-fomat" in it...should Login.html be in this CDML_folder or web foler? how about Loggedin.html?

Anyone that looks at the source of Login.html(Web Folder) can see which databse name and structure...well all of it. If Login.html(CDML_FILE_FOLDER) no access.........seems like a loop that has no use?! I am sure it is me but....the logic is bothering me!

Can you help?

Please I am now to this whole game but my concern is security before productivity...!

I would apprechiate some talk about it!

thanx guys

[Leb i Sol]

<INPUT TYPE="hidden" NAME="-format" VALUE="cdml_format_files/Loggedin.html">

I tryed using this as Unable suggested and was just like him/her...unable

as well as the ....

VALUE="/cdml_format_files/Loggedin.html">

or

VALUE="./cdml_format_files/Loggedin.html">

and this doesn't seem to be a path issue I think the guys from FM are a FULL OF S****. The next thing FMcrew suggests is to put the copy (Loggedin.html) of files in Web folder?!! WTF? What is the point of all this then!

...well...maybe selling popcorn would be thier thing rather than trying to "publish" their DBs. Sorry all of you FM lovers but I am just frustrated to the point that this software has given me nothing but headaches...rotten apple...I was/AM even ready to learnCDML and then this thing is making me doubt my HTML skills (which are pretty decent and go back to notepad times)!

How about using custom publishing with File Maker Pro Access Priviledges and just foget the whole LOGIN crap? no? not a good idea?

maybe I should trash these 10 FMpro6 licences and use...yes ...the A word...Access?

What do you think?

(am i just tired today or.....blind)

HELP....HELP....HELP

[Steve T.]

Hi, Leb i Sol! Maybe someone else can help better since I am admittedly ignorant in this area, but here's my understanding of it all...

----------

pre-fmp6:

----------

We make HTML/CDML template pages (a.k.a. "format" pages) and put them in the Web folder of FileMaker Pro, e.g. index.html, search.html, searchresults.html, detail.html, etc. We can also make sub-folders in the Web folder, but we then have to make sure the paths match accordingly, e.g. subfolder/search.html, subfolder/detail.html, etc. Usually, this is all relative to the root folder (Web folder). I got messed up in one case where I had the following...

<FORM ACTION="http://servername.edu/FMPro/subfolder" METHOD="post" ...>

This line defined my root folder as the subfolder rather than the Web folder. Sometimes this is desirable, however, espcially in cases where you are serving several solutions.

Now the problem, as I understand, was that anything in the Web folder could be peeped at by the technologically curious/mischeivous. This could pose a security risk to your system.

----------

post-fmp6:

----------

Seeing this need (or user request), FMP made it possible in FMP6 to hide your format files from snoopers by creating the cdml_format_files folder and putting it inside the Web folder -- if you want to (or at least that's what I THINK; I don't have FMP6; please correct me if I am wrong, folks!).

So, format files can be put in the top layer of the Web folder as before, or they can be put in the cdml_files_folder. If the latter, I assume the process is the same as before, i.e. paths must include it... cdml_files_folder/search.html, cdml_files_folder/detail.html, etc. The page on which you have a "-format" statement should not matter, but the path to the format page which follows must be referenced accordingly, e.g. search.html for the root Web folder or cdml_format_files/search.html for the no-peeping folder.

(Sorry, I got to go.. I was going to say more but I hope this helps some. And I wouldn't recommend going to another software product. I think FMP is the best/easiest by far even if it is limited in some ways.)

Ciao for now and try not to pull out your hair!

--ST

[Leb i Sol]

Thank you sktajiri!

You are right about the hair almost gone... :-)

The main and crutial step FMpeople left out was to COPY-MOVE the cdml_format_folder...hm I will give it a try!

Another thing was that I never (still) had the Log Out option so my sessions never times out....which lead to rights issues...and all.

Anyway, thanx for the post I hope people continue to post on this topic.After all web is the begining of IN-security and any idead/tip is welcome!

[Unable]

Ok, I should have said I was writing in 5, 'cause like ST, I don't have 6. But I would go with ST's analysis (guesstimate?) and if I were trying it I would try

<input type="hidden" name="-format" value="cdml_format_files/admin/logedin.html">

or whatever the appropriate path names are for 6.

If you decide to dump FMPro and go for Access, send me your copy and license.

[Leb i Sol]

Thanx for the imput guys!

This was started by FMPDennis but I ran into the same problem...I will give it a try. To re-cap

Web Folder

|

cdml_format_files

|

MyFolder

|

admin

|

blah folder

is the structure recomended right?

If u desire the have FMPro 6 licence...well I can't give it away but something can be arranged where I could "lend" you FMPro6 for "development" purposes. Also I feel I got robbed with V6 since CDML tool and reference DO NOT come with it?? So you can understand my point when I say....CDML??what?? where? what folder? what tools?

It took me a while but I found it on-line so now I at least have a horse for the race....it might be the horse that doesnt know what race he is in but its a horse ! If you know what I mean!

Thanx guys!

[Anatoli]

CDML is on Developer CD since v. 5

[Leb i Sol]

ohhh Developer Version....ups I have just a FMPro 6....no wonder I felt like a sheep amongst the wolves!

It's too bad that FM doesn't work on thier ODBC I think they would gain massive followers in the Windows community and most deifinetly convert people from Access...join-in on ASP technology....all kinds of good things!

Anyway, thank you guys for the posts!

[Steve T.]

Actually, I'm a sheep, too (even according to Chinese zodiac; and 2003 is year of the sheep) and don't have Developer. We DO have Unlimited, though. The only difference between FMP and FMP-U seems to be (1) no limit on IP's accessing and (2) Web Server Connector--which we don't use.

It is great to hear from the pro's, though. There's some really hot threads where the professional developers pow-wow.

[Unable]

Take advantage of the Sample Files forum and the Articles forum. Beau coup to learn. And thanks to all those who have contributed to those.