Security without WSD or FMP Access Privileges

[kpaul]

I'm being asked to develop a web site where much of the content will be drawn from a FileMaker database. The site owner will be able to add, edit and delete content by using forms that hit on the database. The problem is that where the site is being hosted (a shared server that is serving up many databases for many other sites) I won't be able to use the Web Security Database or FileMaker's Access Privileges to control security. Users will still need to log in to view the site or make changes and I've made a simple user database to store usernames, passwords, etc. to control access while browsing the site but I can't think of a way to prevent FileMaker-savvy hackers from touching the database content by entering commands through the web browser's address line. Does anyone have any suggestions?

[Steve T.]

Howdy! Well, I could be wrong but I don't think you can since that's why those services/options exist. However, there may be some things you can do to make it harder. I haven't used it yet, but FMP6 is supposed to allow you hide your CDML code in a separate folder... see if they will let you use that. You can hide your URLs somewhat by using FORM POSTs instead of GETs and/or CDML links. Maybe you can make it harder by using spaces and nonstandard characters in your field names (and layouts) in conjunction with different form encoding methods to find something that's too troublesome to bother with... even if they somehow think they know what your fields are called. They still need to use your -format pages, too, right? Maybe you can use IF statements to show X if a certain flag field is true or Y if data has been altered but not authorized (calc comparison based on mod date/time and value of 2nd field?). Not true security but a mess to deal with.

Are you sure Access Priviliges is out of the question? I really know nothing about it and haven't used it myself, but I thought AP and sharing info was stored in the db. If so, you could upload your db pre-configured w/AP and settings, and they could just open it up to host.

This is all off-the-cuff but may be worth your looking into if no one offers you a golden fleece solution. Good luck!

--ST

[Garry Claridge]

You could use a similar setup to the one I described in the thread titled "Web Security Filter".

You would need another site which has PHP scripting available on it. This would be a proxy for the FM site.

All the best.

Garry

[Anatoli]

RE: The problem is that where the site is being hosted (a shared server that is serving up many databases for many other sites) I won't be able to use the Web Security Database or FileMaker's Access Privileges to control security.

I do not believe this

Everything there is wide open for everyone without single protection???

One thing is to hack database and get all the info in browser.

This is another case, everyone can create or delete any records from such *stupidly* hosted databases

[kpaul]

Perhaps I should investigate other hosting options. I was pretty sure this was a bad idea but I figured it was worth posting the question here before I made any suggestions to the site owner.

Thanks for your input, everyone.

[Anatoli]

Try John May at www.pointinspace.com

[kpaul]

Eerie... I was just checking out their site when I got your email.

Actually, they came up first in a Google search.

Thanks again.