Hello all-

I have attached a PDF diagram of the two routes to access my databases. I would love it if a few people could chime in about the security issues. My database holds information that is sensitive and security is important. In the attached diagram, I am assuming that I could set FileMaker unlimited to only allow access to the Web Server IP address. Would that work? Is a system set up like this vulnerable to the xml security issues I have been reading about (ie -dbnames,etc)? All of the record level access is not handled through the Web Security database but rather built into the system.

Thanks-

Courtney

CRUAccessDiagram.pdf

Courtney,

The WSC route can be made very secure. As you say the access can be set to the WSC only.

The FMPro client access through a VPN will also be as safe as the VPN.

The general concept looks OK to me The WebSecurity database can be used also to limit field access.

All the best.

Garry

p.s. Anatoli had a product, like a WSC, which filtered out certain tags like "-raw, -dbnames" etc.

RE: p.s. Anatoli had a product, like a WSC, which filtered out certain tags like "-raw, -dbnames" etc.

It is 90% finished works OK for months without crash on Windows.

As soon as you put FM databases through WebCompanion and Unlimited on web, consider them as "public domain".

To block and protect your data:

you need programmable firewall to block bad syntax

or

finished plugin like we where developing

or

use "Exact search" in all web queries

I believe 100% security can be only achieved for FileMaker through Lasso *and* good programming in Lasso.

Search forums for "security loophole" and similar topics.

I believe excellent security can be gained through the "Web Security" database for certain designs and conditions. As I proved in the "Security Loopholes" threads.

All the best.

Garry

Anatoli.....tell me more about your plugin....I spend last few weeks thinkg about altering CGI (especially URL) processing of FM.....had very little luck or $$$.

is this supposed to be retail plugin? or will we see it at the Sample Forum

thanx_();

I so 2 points in your schema that can unsecure your solution.

First you VPN I suppose that some client access to the databases from laptop or in house computer without any control. This users can have their own connection that could open a bridges between your Secure zone and Internet.

The second point concerne you application on the web. First you should add some urls tools like url scan to eliminate wrong/malformed url.

Remember to that using the web companion let users show the db name and layout name and can manipulate the url.

You should also be sure that the FMPU not use a public adresse

Remember to that hacker can aslo manipulate tcp packet to pretend that a request come from your web server and not from internet.

So you better use tools like Lasso or JDBC to secure your critical db. and not show critical informations

Our plugin will just filter out the "nasty hacking syntax".

I do not believe in WC security much. I guess it is something like 0 (zero) in most solutions and up to 70% if you implement all known tricks.

In Lasso security is enhanced up to possibly full 100%. But it has to be used professionally again with good programming techniques.

It seems to me that for the web-based route, the only way someone could get in given the implementation in the diagram would be if, as omiossec said, someone manipulated a packet to make it look as though it came from my web server. Otherwise, they will be going through the very secure route of SSL. If they did make it appear as though it were coming from my web server, then they could use the -dbnames and -raw, etc commands to access what? I have read through all the secuirty threads but I don't think there is ever a consensus as to what then may result.

By the way, I am also using forced frames, disable right click and cannot eneter site without javascript enabled.

Thanks all for the input so far!

-Courtney

Leb i Sol -- We where just building the filter and it really works as I wrote above. But because it is filtering all XML and CDML "nasty hacking syntax", there is problem, that WSC loses connection to Unlimited, because it is using one of the forbidden XML commands.

I guess unblocking that command is everything what need to be done, but the project is on hold and until someone will finance the estimated US $300 to finish that filter we cannot use it.

It works like IIS -- WSC -- Filter -- WC+Unlimited. It is not crashing and it is superfast.

RE: By the way, I am also using forced frames, disable right click and cannot eneter site without javascript enabled.

When I developed that combination I never thought about gaining full security. It is just small navigational help and sort of "security through obscurity".

re: "... they could use the -dbnames and -raw, etc commands to access what?"

Well if you take a quick look at Flanzy's recent thread on this forum, you will see that at his site "everything" was available, including cc #'s and their expire dates. Squeaky ouch!

And he had a couple of ScriptMaker scripts which could have been run thru url manipulations as well. Might have just played havoc with things, but then someone would have had to deal with that too, huh! Oh my.

I might infer that's "what" may similarly be available at your site in the situation described.

"-raw", with "-findall", will display all data from the database, unless restricted with the "Web Security" database. The same applies to the "xml" commands.

With these commands, you do not need a Format file to display data. Hence, Format files cannot be used to "hide" data.

Hope this makes sense.

Depending on how your application is designed, the "Web Security" database may provide all the security needed.

All the best.

Garry

I just reread my intital post and realized it sounded as if I was not using the web secuirty database, which I am. So that being said, if someone does manage to manipulate a packet to make a request appear as if it coming from the web server, then they still have the web security issue to contend with.

garry-

could you elaborate on this :

"Depending on how your application is designed, the "Web Security" database may provide all the security needed. "

Thanks-

Courtney

Courtney,

The one main problem I've found, is that I cannot have "All Users" browse the database yet hide certain fields from them and have other users see the hidden fields.

As an example, "All Users" search a Products database and see the selling price. Only the sales staff are allowed to see the cost price, supplier and markup etc.

If I am only using Format files to restrict field display, "-raw" and "-fmp_xml" will allow "All Users" to see all fields.

This is the design which causes me some work-around problems.

All the best.

Garry

RE: Depending on how your application is designed, the "Web Security" database may provide all the security needed.

So Garry, how would you protect the databases, when in fact all must be set as "All Users"?

On most web solutions one can never enter all visitors into Web Security db.

I believe that some greater degree of security exists in 5.5 and above - provided one is willing to put aside aesthetics and use the yucky pop-up.

In that instance one can inform the general-public-client of the password to enter into the pop-up when it appears.

Those with "in-house" needs will be informed (of all places) "in house" of the password or (possibly more accurately) group and password to use with the ugly pop-up so they can enter whatever level is appropriate to them.

Another solution is set the website such that the db file serving it is restricted by a group/password other than All Users and utilize the automatic entry of the password.

It should be possible (probably advisable) to run two sites, one for the public (restricted, seamless, no pop-ups) and one for in house (many groups and passwords).

Unable - I thought you weren't going to broadcast my error in having that info available. I hope I was able to remove it before everyone went there. Have solved one speed problem, but don't know how. I am now trying to figure out if lasso would be the answer or an SSL to the security issue. BTW - this Flanzy is female.

RE: or an SSL

With SSL you will get transport encryption, but not security from FM.

RE: It should be possible (probably advisable) to run two sites, one for the public (restricted, seamless, no pop-ups) and one for in house (many groups and passwords).

That will call for Lasso for synchronizing between both systems, thus making 2 systems redundant, because of Lasso.

Anatoli,

I am confused. There are 3 computers on an in-house network that communicate via apple-talk. But only one computer runs the on-line shopping cart solution. Anyone who wants to work with it goes to that computer. We live in a rural state and our bookstore is in our barn behind our house. The barn is dry and economically rennovated (floors, shelves and ceilings.) I make back ups of the solution - so do I still need to have two systems?

Also - when you go to book-selling sites like abebooks.com - or a lot of other shopping sites, they offer a secure way to send credit card info. So doesn't that - or will that achieve the security one wants? Or am I not thinking correctly?

---

Flanzy

Re: how would you protect the databases, when in fact all must be set as "All Users"

Protect what?

If you have "All Users" browsing that means that you are allowing them to see the data.

I've missed your point!!! What protection do you mean?:

Garry

All Users will allow ALL data to be displayed via -raw queries.

In the same moment All Web Users should be able to place order in e-shop.

How do you protect some fields not to be displayed?

Flanzy

RE: But only one computer runs the on-line shopping cart solution.

Is that connected to FM server? If yes, then if you allow All Users, which I will say is desirable, then all databases opened in Unlimited and all records are available to -raw "hacking" syntax.

Did you try that? There are plenty of articles here. Search for "Security loophole".

SSL is just secure channel between browser and Web Server. So in theory nobody connected between end points is able to get anything out of it.

If web server is disclosing all info from hosted databases, where is the security?

What do you see in http://yourserverIP/FMPro?-dbnames :

Re: How do you protect some fields not to be displayed?

Yes, that is the problem! As I stated, I've had to develop "work-arounds" for this design in the past.

The way I've done that is by establishing another database which has one field, the "Item ID". All other fields are Calculations from the related record in the master database. The trade-off here is performance.

This is where I believe the "Web Security" database needs to have field restrictions based on Users. Not just a "blanket" restriction.

All the best.

Garry

Calculations are displayed on request. IMHO -- no protection again.

RE: This is where I believe the "Web Security" database needs to have field restrictions based on Users. Not just a "blanket" restriction.

That will work. But how to do that for thousands of unexpected visitors in e-shop?

Re: Calculations are displayed on request. IMHO -- no protection again

It works exacly how I want it to work with the protection I need!

Garry

p.s. Give me the e-shop requirements and I will design a system. I will also charge accordingly!

Garry Claridge said:

Re: Calculations are displayed on request. IMHO -- no protection again

It works exacly how I want it to work with the protection I need!

Garry

p.s. Give me the e-shop requirements and I will design a system. I will also charge accordingly!

The field is always displayed. Text field or text calculation, if database is hit by web request, proper user page or -raw it is displayed. The same as in FM. If you are happy with that, that's OK with me.

I am not happy with that. So the shop is on Lasso which has also huge performance benefits and with LassoScript I can do more, than FM can do.

Re: The field is always displayed

That is correct. That is why I have only the fields intended for display as Calculations in the "web-exposed" database.

So if anybody uses a "-raw" or "-fmp_xml" they see only the data I intend them to see.

The reason these fields are calculations is so that they remain "dynamic". That is, a change in the master database is seen in the web-exposed database.

Hope this helps you understand the design.

Garry

Yes, that is clear from beginning and good way of some "read-only" protection.

Also, you cannot edit such fields from web, because if you allow access from web to database, it is web-exposed.

That is working as protection of company "internal" data. Not protection of absolutely all data used on web database e.g. email address. That has to be in web served database available for users for all edits. I can verify the user, allow him/her to edit record and only his/her record.

Then someone will get the whole database listing with -raw query. That *is* bad.

Obviously the accounting data will not be visible, because they are not in Web served database. Then someone will ask for those data to be visible only for verified users. That is again impossible. The only reasonably way is "exact search" in WSD, but then everything must be with exact search on that database and that is far away from real web usage.

Take this example:

I've checked how Masters are doing protection years ago. I've listed in browser all email addresses from database of famous FM author. I've notified him and basically he replied something like "who cares".

I was furious, because my address was "in public domain".

My opinion about security and FM served database is just security by obscurity. Only Keith's way with scripts is much more secure, because he is shifting the data out and in database exposed to web. But since scripts have those unpleasant side effects like freezing the FMU it is again solution for few websites with small number of visitors. Not the traffic we have.

So I am studying Lasso and there is possibility of real security. It is in Lasso features and it has to be achieved through good programming. Actually, talking here about security is like children games. Dramatic security breach in Lasso Lists is considered just the exposure of database names to web traffic. And we even didn't touch those depths in any security discussion here!

Well thank you Anatoli.

Based on my experience "side effects like freezing the FMU" do not have much significance when the ScriptMaker event processes in less that 100 milliseconds, which is more than enough time to remove data completely from web exposed db file with a protected ScriptMaker script.

Maybe in your case, but not in our heavy traffic. But in case of protecting otherwise unprotected data I will probably rather risk crash, than data to be stolen.

With Lasso we don't have such issues

Anatoli,

Do you like Lasso?

Garry

I was working only on one solution in Lasso 6.

When I examined the requirements and the FM solution, there was absolutely no way to do it in CDML. I can say I know 90% from CDML, 20 % from related JS, but even with FM scripts and better security than WC has, the task was too much for CDML.

With Lasso -- piece of cake. I was hold back from time to time with Lasso vs. CDML difference, but with excellent support from Lasso List it was relatively easy task.

In short

IF WEB oriented THEN

MySQL+PHP

MySQL+ASP

MySQL+JSP

is even better than any FM +"cowboy" tool ...heheheh

Did you try both? Lasso is more productive than php and you get MySQL in Lasso "tuned". Everybody who is at home with CDML knows already some of the Lasso workflow.

ASP is even less productive.

Lasso is expensive, but php with Zend is even more. Lasso and php are portable between Windows, Linux and MacX, ASP not.

BTW, FM is quite fast on my Windows, so normal search is faster than the same search in MySQL. Obviously MySQL is faster and faster as the complexity in Queries increases.

Oh boy, here we go again!

Yes, Lasso has some very useful tags built in. However, PHP is much more robust and extensible. Further, PHP supports object oriented programming which can *greatly* simplify the code behind a complex web site, and greatly reduce development time as well. Further, PHP is free. While you can optionally purchase the Zend optimizer (which costs slightly more than Lasso), it is outright unnecessary for most sites.

Further, PHP is much easier to learn than Lasso (imho) because there are hundreds of excellent books out there on PHP. Lasso on the other hand only has a few books, none of which are worth their weight in salt. From what I hear Lasso has a good list-serve and supportive online community. So does PHP - in fact more so because PHP is soooo many more users/programmers than does Lasso.

PHP is also optimized for MySQL, since they the development of those technologies was tightly knit together. MySQL is also free, unless you build it into a product the user cannot choose which database to use. However, MySQL is free for database driven web sites, even if you're making money from the web site via subscriptions. I've personally verified this with the MySQL AB team through email correspondence. PHP is also well optimized for Apache, which is a *free* world class web server.

Another *extremely* good reason (imho) to use PHP over Lasso is that there is much more demand for PHP programmers than Lasso programmers. If you can acheive the same (or even reasonably similar) results from PHP or Lasso, why not choose the technology that will open up a world of new job opportunities for you? Just go on craigslist.com, hotjobs.com, dice.com or monster.com or any other and search for Lasso jobs, then search for PHP. The difference is tremendous.

Also, most web hosting services provide PHP and MySQL... how many provide Lasso?

ASP is also a good technology, and offers far more pre-canned functionality than Lasso (thereby making it a more production tool). I don't think ASP is quite as fast as Lasso or PHP, but the difference is not much. The only thing is, ASP doesn't yet have a free code package that abstracts the http/xml layer it uses to communicate with FileMaker.

I don't think any of us are supporting E-Bay type traffic with FileMaker on the back end, anyway - so the speed differences are not too noticeable.

----

Re: security.

Any middleware is a HUGE improvement over FileMaker's native web scripting. First, these all offer increased security by removing FileMaker's web vulnerabilities - any client communication to FilerMaker must be filtered through the middleware, which can be built to provide as tight a security model as you like. Any of the aforementioned scripting languages will also vastly boost your productivity by allowing you to approach standard programming problems in standard ways - instead of looking for brittle and obscure work arounds in CDML.

Mariano Peterson said:

Oh boy, here we go again!

No comment

Yes, Lasso has some very useful tags built in. However, PHP is much more robust and extensible. Further, PHP supports object oriented programming which can *greatly* simplify the code behind a complex web site, and greatly reduce development time as well. Further, PHP is free. While you can optionally purchase the Zend optimizer (which costs slightly more than Lasso), it is outright unnecessary for most sites.

Lasso is fully customizable. I don't think PHP has any edge over Lasso. That is why plenty of people are happily paying for the Lasso.

Lasso is Objects oriented and it is using much less code, than PHP. That is why I will pay again the Lasso price.

If I want to protect the middleware/HTML code, Lasso is much cheaper. I didn't check lately, but it was 999 for Lasso and 2500 for Zend.

Further, PHP is much easier to learn than Lasso (imho) because there are hundreds of excellent books out there on PHP. Lasso on the other hand only has a few books, none of which are worth their weight in salt. From what I hear Lasso has a good list-serve and supportive online community. So does PHP - in fact more so because PHP is soooo many more users/programmers than does Lasso.

PHP is much more difficult if you start with CDML knowledge than Lasso. Even without CDML base Lasso (IMHO) is still easier and simpler. The price of Lasso probably reflects this.

PHP is also optimized for MySQL, since they the development of those technologies was tightly knit together. MySQL is also free, unless you build it into a product the user cannot choose which database to use. However, MySQL is free for database driven web sites, even if you're making money from the web site via subscriptions. I've personally verified this with the MySQL AB team through email correspondence. PHP is also well optimized for Apache, which is a *free* world class web server.

PHP doesn't come integrated with MySQL; Lasso is integrated with MySQL. Actually all Lasso processes and permissions are stored in LassoMySQL.

And Lasso integrates FM and MySQL "of the shelf". With full commercial license of MySQL in the price.

Lasso is integrated in Apache and IIS and Web* etc.

Another *extremely* good reason (imho) to use PHP over Lasso is that there is much more demand for PHP programmers than Lasso programmers. If you can acheive the same (or even reasonably similar) results from PHP or Lasso, why not choose the technology that will open up a world of new job opportunities for you? Just go on craigslist.com, hotjobs.com, dice.com or monster.com or any other and search for Lasso jobs, then search for PHP. The difference is tremendous.

That is probably true. But larger supply = more "competitive" price I do not like to "compete" with thousands students for the job.

Also, most web hosting services provide PHP and MySQL... how many provide Lasso?

That is not an issue in US, there are many Lasso and FM hosting companies. Personally I would like to host everything myself, because of full control and nice income.

ASP is also a good technology, and offers far more pre-canned functionality than Lasso (thereby making it a more production tool). I don't think ASP is quite as fast as Lasso or PHP, but the difference is not much. The only thing is, ASP doesn't yet have a free code package that abstracts the http/xml layer it uses to communicate with FileMaker.

I don't think any of us are supporting E-Bay type traffic with FileMaker on the back end, anyway - so the speed differences are not too noticeable.

----

Re: security.

Any middleware is a HUGE improvement over FileMaker's native web scripting. First, these all offer increased security by removing FileMaker's web vulnerabilities - any client communication to FilerMaker must be filtered through the middleware, which can be built to provide as tight a security model as you like. Any of the aforementioned scripting languages will also vastly boost your productivity by allowing you to approach standard programming problems in standard ways - instead of looking for brittle and obscure work arounds in CDML.

Read the White papers. Lasso means much less code, than ASP. Lasso runs on Windows, MacOS, MacX and Linux. ASP is not serious competitor for Lasso.

I do not know if you can hide completely database from users in PHP, like Lasso is doing with properly constructed InLines.

My resume is, that if I have to start with zero budget, I'll go the MySQL PHP way.

If there is budget, then it is Lasso all the way. BTW new Lasso 7 has many improvements over Lasso 6.

crazy Eastern Europeans.....

hm.....ASP u say....it will run on Win and Linux.......there is ASP/VB connector that seems be popular

http://www.fmcdn.com/downloadForm.cfm

but how good it is I wouldn't know. ODBC ways to FM DBs through ASP are not worth the time...

If FM would make a better ODBC ASP would most definelty be my choice over Lasso tags ....from the "ease of codeing" point of view. But this will not happen....one hands washes the other....Lasso stays, FM ignores the buggy ODBC.

There, my little support of ASP

All the best!

PHP doesn't come integrated with MySQL

How can you say that? PHP has low-level hooks for native connectivity to MySQL at a lower level (more efficient) than ODBC and JDBC.

Lasso means much less code, than ASP

This really depends on what you're trying to accomplish. For a windows based intranet, ASP has tons of windows hooks that other products can't compete with. Also, ASP has many built-in objects for manipulating windows domain stuff very easily. If Lasso can even do that at all, I think it would require much more code and be much less efficient.

I do not know if you can hide completely database from users in PHP, like Lasso is doing with properly constructed InLines

With PHP, you don't expose anything about the database on the web form. You just write a standard form and name the input fields what ever you want - completely independent of the database structure. The page that you submit the form to has all the database code; but that code is never sent downstream to the client - it is only evaluated and executed on the server side.

Lasso runs on Windows, MacOS, MacX and Linux

So does PHP and ASP (for ASP, you have to use Chili(?) ASP).

But larger supply = more "competitive" price

Yeah, but in my experience, the more technology you know, the better you get paid. PHP or ASP open the door to tons of other technologies; where as Lasso limits you to an unorthodox paradigm. In my experience, I've noticed PHP coders tend to get paid better than Lasso coders.

PHP is much more difficult if you start with CDML knowledge than Lasso. Even without CDML base Lasso (IMHO) is still easier and simpler. The price of Lasso probably reflects this.

I don't understand... because Lasso is more expensive, it must be easier to learn? When I started web programming, I tried to start with Lasso. ZERO luck, mostly because there just weren't any good books on the subject. I tried to follow examples from online stuff, but nothing worked. And more importantly, I didn't understand what was going on in the bigger picture, and nothing Lasso related helped me figure that out. When I switched to PHP, all of a sudden there were tons of excellent books on the subject, and I was able to learn it in no time. Also, since the PHP syntax and paradigm are similar to C, Java, JavaScript, etc, I was able to pick it up quite easily. Only after I'd learned PHP was I able to (sort of) grasp Lasso.

That is why plenty of people are happily paying for the Lasso.

I think many people are paying for Lasso because they don't know that there are other options for web-enabling FileMaker. Besides, these other options for web-enabling FileMaker didn't really come about until FMP 6.0, so they haven't been around long enough to be well known. People that had to web publish before that didn't really have a choice other than Lasso, and now they're stuck with it.

Lasso is Objects oriented

Lasso supports some object oriented programming, but not as nicely as PHP. Also, the Lasso paradigm for writing OO is kind of weird, where as the PHP method is very standard/common.

If I want to protect the middleware/HTML code, Lasso is much cheaper

Yes, Lasso is cheaper if you need to scramble your code so that other people can't read it. However, as most web developers sell services and not products, scrambling the code is rarely useful.

---

Hi Leb i Sol! if you want to use ASP, you can use the MSXML object to send HTTP requests to FileMaker and get back XML responses. Then you can load the XML response into an XMLDOM object (or, I think you can even load it into an ADO recordset object) and you should be good to go from there. That is much, much faster than ODBC!

Mariano Peterson said:

How can you say that? PHP has low-level hooks for native connectivity to MySQL at a lower level (more efficient) than ODBC and JDBC.

So when you install PHP, you will get automatically MySQL with all functionality and Access level security etc?

Lasso means much less code, than ASP

This really depends on what you're trying to accomplish. For a windows based intranet, ASP has tons of windows hooks that other products can't compete with. Also, ASP has many built-in objects for manipulating windows domain stuff very easily. If Lasso can even do that at all, I think it would require much more code and be much less efficient.

I am talking only about generic Web stuff and not Windows only solutions.

I do not know if you can hide completely database from users in PHP, like Lasso is doing with properly constructed InLines

With PHP, you don't expose anything about the database on the web form. You just write a standard form and name the input fields what ever you want - completely independent of the database structure. The page that you submit the form to has all the database code; but that code is never sent downstream to the client - it is only evaluated and executed on the server side.

OK, so it is the same.

Lasso runs on Windows, MacOS, MacX and Linux

So does PHP and ASP (for ASP, you have to use Chili(?) ASP).

That is OK, but still nogo on MacOS. No big deal.

PHP is much more difficult if you start with CDML knowledge than Lasso. Even without CDML base Lasso (IMHO) is still easier and simpler. The price of Lasso probably reflects this.

I don't understand... because Lasso is more expensive, it must be easier to learn? When I started web programming, I tried to start with Lasso. ZERO luck, mostly because there just weren't any good books on the subject. I tried to follow examples from online stuff, but nothing worked. And more importantly, I didn't understand what was going on in the bigger picture, and nothing Lasso related helped me figure that out. When I switched to PHP, all of a sudden there were tons of excellent books on the subject, and I was able to learn it in no time. Also, since the PHP syntax and paradigm are similar to C, Java, JavaScript, etc, I was able to pick it up quite easily. Only after I'd learned PHP was I able to (sort of) grasp Lasso.

Why to pay for Lasso, when it has all the disadvantages? I am no coder and I never want to be. It is like playing music from score Lasso is maximum what I've allowed to myself, not a bit more. I hate all code-writing Only if I must and for good money

That is why plenty of people are happily paying for the Lasso.

I think many people are paying for Lasso because they don't know that there are other options for web-enabling FileMaker. Besides, these other options for web-enabling FileMaker didn't really come about until FMP 6.0, so they haven't been around long enough to be well known. People that had to web publish before that didn't really have a choice other than Lasso, and now they're stuck with it.

Not me But all other options are just horrible. I've asked for simple PHP code which is doing the simple CDML/Lasso "NEXT" and it was couple of lines, maybe 8. That was 3 years ago. No thanks! Not for me!

BTW, the Lasso List has hundreds experts much better that me and they select Lasso above all. I am just beginner. You are just speculating in this point. Ask them why they pick Lasso. Mostly the do use MySQL and only on client request FileMaker.

Lasso is Objects oriented

Lasso supports some object oriented programming, but not as nicely as PHP. Also, the Lasso paradigm for writing OO is kind of weird, where as the PHP method is very standard/common.

I do not know about that. My simple custom tags are piece of cake and debugging is 100 times easier, that in ASP and probably PHP as well.

If I want to protect the middleware/HTML code, Lasso is much cheaper

Yes, Lasso is cheaper if you need to scramble your code so that other people can't read it. However, as most web developers sell services and not products, scrambling the code is rarely useful.

I like it and I will not release my code until is paid in full.

PHP rules!

So when you install PHP, you will get automatically MySQL with all functionality and Access level security etc?

PHP is only PHP - so strictly speaking PHP does not install MySQL. BUT, PHP is specifically optimized to work with MySQL. MySQL is installed seperately. The two are designed to work together, so its very easy. And yes, PHP sessions and web security are designed so that it can be run with MySQL on the back end (or any other database or even the file system for that matter).

Also, there are several free installation packages available that install PHP, MySQL, and even Apache for you, and configure everything like you described (merlin and foxserve are two that come to mind). Most of these also install Perl.

I've asked for simple PHP code which is doing the simple CDML/Lasso "NEXT" and it was couple of lines, maybe 8

If you're using the FX class, the following code is all you need:

$myData['linkNext']

My simple custom tags are piece of cake and debugging is 100 times easier

Well, that's the whole idea behind OO. If you write your code the right way, PHP and ASP are also very easy to debug -- you never have to look at pages and pages of code; just the paragraph (or in extreme cases page) of code for your class.

I will not release my code until is paid in full.

Since all PHP, ASP, and Perl code resides on the server, you don't have to release anything until its paid for. Just host the solution on your test server until the client pay and the code is ready to be delivered and deployed.

RE: PHP is only PHP - so strictly speaking PHP does not install MySQL.

So Lasso *is* fully integrated with MySQL. It couldn't function without MySQL. PHP not. All management tools are Lasso/MySQL integrated. The cost of all this in PHP will be much more, than Lasso's price.

RE: If you're using the FX class, the following code is all you need:

$myData['linkNext']

Yeah, but I do not want to chase various classes. I want compact syntax working of the shell for all databases. Lasso.

RE: Well, that's the whole idea behind OO. If you write your code the right way, PHP and ASP are also very easy to debug -- you never have to look at pages and pages of code; just the paragraph (or in extreme cases page) of code for your class.

In another words -- no nice debugger for ASP and PHP like in Lasso I guess. What will happen, if you'll forget simple character like comma?

RE: Since all PHP, ASP, and Perl code resides on the server, you don't have to release anything until its paid for. Just host the solution on your test server until the client pay and the code is ready to be delivered and deployed.

Not flexible enough. I like to sell application and have code in my property until someone will pay for that code as well. How can I install working application at client without releasing the code -- know-how?

Only with much more expenses in PHP case, than with Lasso. Lasso is cheap!

What I know about PHP is putting me off. Next project will be again Lasso based, because regardless of the price -- it is the best for me. And when I am carefully counting, it is much cheaper than PHP.

The cost of all this in PHP will be much more, than Lasso's price.

No. PHP is free. Most PHP tools are free. phpMyAdmin is free. MySQLManager is free. MySQL Control Center is free. There are numerous free tools for PHP and MySQL on the web. The bottom line: PHP is free, Lasso is not.

I do not want to chase various classes. I want compact syntax working of the shell for all databases

You don't have to chase classes; FX is _THE_ class for connecting FileMaker and PHP, and offers all the functionality you need. But what's wrong with chasing classes anyway? If somebody else has already done it and packaged it in a class, why re-invent the wheel?

no nice debugger for ASP and PHP

ASP and PHP both have very descriptive error messaging. If you forget a comma somewhere, you'll get an error page that tells you you're missing a comma and the location of the error (line and column). Further, MS Visual Interdev has a powerful debugger that can step through the code. There are also several others for PHP, but I've never had to rely on a debugger for either PHP or ASP; the error message they automatically generate have always been enough for me.

I like to sell application and have code in my property until someone will pay for that code as well

In this case, you'll need to scramble your code, and yes, you would have to purchase the full Zend package which costs more than Lasso. However; selling the code to a web application is kind of unusual. People typically sell client access licenses (cals) for online applications they host themselves. This way, you generate a recurring revenue stream that increases as your client's business grows. With the ASP business model (application service provider, not MS active server pages), the client cannot "steal" your code because its on your production server and they don't have access to the file system on that machine.

And when I am carefully counting, it is much cheaper than PHP

I don't agree. At last check $0 < $1000.

Anyway, I like PHP and I'm sticking with that. Besides, I don't want to shell out the bucks for Lasso.

---

Hey by the way Anatoli, I'm just giving you a tough time about Lasso. Its a perfectly fine technology, I just like PHP better - but I can see perfectly well why you prefer Lasso. So, no hard feelings, its all in good fun buddy.

Its nice to have a good debate about middleware every now and then

oooooooo I would love to have a cup of coffee with you guys and chat about web/DBs....these are some great posts

Mariano, thanx for the XML apporach...I knew about it, I just never ventured in that direction since XML was not my thing. But, I have started to respect/leran it..

...and still have to say that ASP/PHP even JSP* is EASY to debug and quick and safe Server Side Executed language-hence no need to "chrome" your code - regradless of the web server platfrom or DB......after all....IT ALL gets executed based on Standard Querry Language only tags get changed.

IMHO it is not that hard to "tag the tags" much like words WHERE or UPDATE or INSERT strand out in this post and any Inline action does not even come close in comparison to dynamic SQL querry strings that can include as many logical cobmos as u can think of.....honestly, FM was never my 1st. choice (for the web) but is a great "workgroup DB" that was "forced" on the web. Access lovers lucked out only because core of Access is on SQL and connection engines were forcefully evolved over the years due to power of Micro$oft.

anyway, where is my cup of coffee....

All the best!

By the way in MySQL V5 "stored procedures" will be supported....

RE: The bottom line: PHP is free, Lasso is not.

My point is -- Lasso cost me 999 and a bit of learning. PHP will cost me thousands of $$$ just to be on the same level. It is the same with cars -- any idiot can repair them, but I never did that, I am happily paying garage bills!

RE: However; selling the code to a web application is kind of unusual.

I do both, hosting and supplying something for someone else and it makes no difference if it is desktop or web based solution.

RE: Its nice to have a good debate about middleware every now and then

Sure, 50% of readers will go your way and 50% my way but that doesn't matter. The nice point is to exchange views.

RE: Inline action does not even come close in comparison to dynamic SQL querry strings that can include as many logical cobmos as u can think of.....honestly

Inline in Lasso is absolutely generic and not relevant to database. The same way something works with FM, it will be with MySQL or Oracle. In SQL databases are differences. And to allow SQL syntax is always some kind of security risk.

I don't think 50% can afford to go your way Anatoli

Even the clients don't want to have to pay for Lasso when they can use PHP.

I'm not knocking Lasso, however a need exists for a lot of small web-applications. For example, the handling of file-uploads and concurrently updating an FM database. This is where PHP can be deployed effectively and economically.

All the best.

Garry

In this angle you are right.

But then I can just provide hosting service and pick CDML or Lasso and not mention cost to client. Or charge just partial cost.

And to develop something in PHP will be more expensive because of labor cost. In my case for sure

Expensive Lasso plus coding = $10,000.

Free PHP plus coding = $15,000.

This is my calculation.

ahaaaa....ur an expensive coder Anatoli

"And to allow SQL syntax is always some kind of security risk"

- yes and NO, user management and rights to execute SQL can be easily managed ( and YES even on MySQL despite what some of u might argue)....and if u ever "loose=get hacked" on your admin account to the SQL server...well in that case it is time to get religious and hope you backups were runnung or hire a network admin hint hint hint LOL

"The nice point is to exchange views"

-[tux]{

one more cup of coffee please ... and whatever these nice people are having

It isn't my hour rate Anyway, if you allow executing SQL, then someone will try that.

I am not yet experienced in this and maybe I will never allow SQL because of "SQL injection" risk.