Jump to content

Security without WSD or FMP Access Privileges


This topic is 7581 days old. Please don't post here. Open a new topic instead.

Recommended Posts

I'm being asked to develop a web site where much of the content will be drawn from a FileMaker database. The site owner will be able to add, edit and delete content by using forms that hit on the database. The problem is that where the site is being hosted (a shared server that is serving up many databases for many other sites) I won't be able to use the Web Security Database or FileMaker's Access Privileges to control security. Users will still need to log in to view the site or make changes and I've made a simple user database to store usernames, passwords, etc. to control access while browsing the site but I can't think of a way to prevent FileMaker-savvy hackers from touching the database content by entering commands through the web browser's address line. Does anyone have any suggestions?

Link to comment
Share on other sites

Howdy! Well, I could be wrong but I don't think you can since that's why those services/options exist. However, there may be some things you can do to make it harder. I haven't used it yet, but FMP6 is supposed to allow you hide your CDML code in a separate folder... see if they will let you use that. You can hide your URLs somewhat by using FORM POSTs instead of GETs and/or CDML links. Maybe you can make it harder by using spaces and nonstandard characters in your field names (and layouts) in conjunction with different form encoding methods to find something that's too troublesome to bother with... even if they somehow think they know what your fields are called. They still need to use your -format pages, too, right? Maybe you can use IF statements to show X if a certain flag field is true or Y if data has been altered but not authorized (calc comparison based on mod date/time and value of 2nd field?). Not true security but a mess to deal with.

Are you sure Access Priviliges is out of the question? I really know nothing about it and haven't used it myself, but I thought AP and sharing info was stored in the db. If so, you could upload your db pre-configured w/AP and settings, and they could just open it up to host.

This is all off-the-cuff but may be worth your looking into if no one offers you a golden fleece solution. Good luck!

--ST

Link to comment
Share on other sites

RE: The problem is that where the site is being hosted (a shared server that is serving up many databases for many other sites) I won't be able to use the Web Security Database or FileMaker's Access Privileges to control security.

I do not believe this frown.gif

Everything there is wide open for everyone without single protection???

One thing is to hack database and get all the info in browser.

This is another case, everyone can create or delete any records from such *stupidly* hosted databases frown.gif

Link to comment
Share on other sites

Perhaps I should investigate other hosting options. I was pretty sure this was a bad idea but I figured it was worth posting the question here before I made any suggestions to the site owner.

Thanks for your input, everyone.

Link to comment
Share on other sites

This topic is 7581 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.