Jump to content

IWP: validate & edit record securely


This topic is 5662 days old. Please don't post here. Open a new topic instead.

Recommended Posts

In many scenarios using FM / IWP, it's desirable to allow a person to create a new record, have the record validated, and either accept it into the system or show them errors and correct / resubmit, or cancel / delete. Once done, it's also important to block any further access (read or edit) to that record, for security purposes.

There are several problems doing this under IWP:

1. Field validation is rather cumbersome.

2. You can't force someone to logout unless they click a button, and even then it's not 100%.

3. Sometimes, hitting "reload" from a browser will reload the record when it should no longer be visible.

I have come up with some solutions to these problems, and present them here for your consideration:

1. Instead of using field validation, create a single calculation field that either returns "" if the record is valid, or a text description of the error(s) if not. For example:

InValid = 

  If(FirstName = "", "You must supply a first name") &

  If(LastName = "", "You must supply a last name")

  If(Len(EmpID) < 9, "Please supply your 9 digit employe ID")


2. Include a "Submit" button which calls a script which checks the InValid field.

If InValid="", go to a layout which says "thanks for your submission" and sets a field called "Closed" to true.

If it is not empty, go to a layout which shows the user's entered data, along with the text in the InValid field (which will include a list of validation errors).

3. For security purposes, you want to make sure that a given record can not be viewed or edited except for the brief time it's being submitted. Use custom record-level access permissions for the Guest IWP user, such that records are neither viewable or editable after the timeout period (based on record last modification date), nor are they viewable or editable once the "Closed" field has been set to True.

4. In my setup, I actually create a new blank record for the user BEFORE giving them them first data entry layout. This allows me to set some fields and branch to a custom layout depending on the type of issue they are asking about. One disadvantage of doing this is abandoned records -- if the user just walks away from the computer at this point, once IWP times out, you'll have an empty blank record. It's fairly easy to write a script to identify these empty records and delete them at a later date, and it's interesting to see what % of your users abandon the records. I think that browsers w/o java or javascript enabled may cause these blank records, too. I'm not clear on that.

5. I do this all through https:// using a custom apache setup on mac os x.

While not perfect, this solution is working fairly well for me. Basically, it lets you use IWP to implement fairly typical secure web-form system.

Anyone else tried this?

Link to comment
Share on other sites

  • 3 weeks later...

This topic is 5662 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By JDW
      Our company still uses FMP 11 Advanced because hosting online via IWP is much, much cheaper than hosting with a modern version of FMP.  Currently, we pay double to have two different FMP 11 databases hosted online.  One database contains 900 records and is open to the public with no password, and the other has several thousand records and requires a password.  
      In hopes of cutting our hosting cost in half, I would like to combine the two databases into one database, such that we need only pay to host 1 database.  But our need to password protect certain records remains.  
      In other words, I want to put the content that doesn't require a password inside the FMP database file that has data we want to protect.  I know it's possible to combine the two databases, but that would mean we can no longer use a main password to lockout the entire file, as that would lock out everybody.  I would like to know if I can use FMP 11 Advanced to password protect only certain records within a single database file?
    • By AlesD
      Hi I can not fiddle out how to make it work. I have tried several browsers with same result. We are using FM 12 server. I tried this file paths
      and few others
      I'm using this code in the Web Viewer which is working fine in FM client but not in browser
      "data:text/html, <html> <head> <style type=text/css> " & table::style & " </style> </head> <body> <div class='thumb'> <span class='helper'></span><img class='thumb' src='" & table::ThumbnailPath & "'> </div> </body> </html>"  
      If it's caused by fact image is not present in web site folder as stated in document then my question is if it possible use unc network path in filename like file://///other_than_fmserver/networkpath/file.jpg. I wasn't successful either. 
      Any help appreciated
      Thank you
    • By KevinArevalo
      Good morning! I need some help getting something working.
      We have a company website, and we are trying to create a instant web publishing portal for our customers to login and view their open invoices. Pretty simple. We have all of our information on a FileMaker solution that is hosted with FileMaker Server 12. The problem is we can't get it to work the way we want it to. 
      This is our idea and how we kind of want it to work. We want the have our customers create their accounts/passwords on our actual website. We will store their account information on our web server. We will authenticate their login on our web server. Then, after they log into our website, we want to take their username, bypass the filemaker instant web publishing login page, and then set their username (which they used to log into our website, not filemaker) to a global variable or a field or something, we just need it in filemaker so we can do searches on it. We have the instant web publishing layouts built and we can get all that part working fine, we have the login authentication working on our site, that part is fine. It's just bridging the two together. 
      We are using WordPress to build the website, and our site is hosted on GoDaddy. Our problem is that we can't find a way to auto-login and bypass the login web publishing page. We currently have one account called "WebLogin" which we have been trying to use as a general login (since the actual customer login is authenticated on our website, not FileMaker) but we can't seem to bypass the page. I found this page through google searching: http://lnx.acidsoft.net/problemsolved/bypass-filemaker-iwp-login-via-url.html
      and tried to do it the way that he describes, but it is not working. It gives me an error saying:
      Bad Request
      The server could not process your request due to a missing command: ""
      And I get another dialog box that says: 
      Bad Request
      The server could not process your request because your session has timed out, been closed, or communication with the server has been lost.
      Please reselect the database to begin a new session. If you cannot open the database, please contact your database administrator.
      That is one of the problems, how can I resolve this?
      My other problems is we are trying to pass through the username that the customer uses to login to our website as a variable in filemaker or even set it to a field. I am not sure how to do this. Is this even possible?
      Thank you so much!
    • By djlane
      I have an application that was using IWP under FM Server 12, to allow my friends and friends of friends to upload their golf scores, and my system would calculate their USGA handicaps.
      After upgrading to FM Server 13, IWP not longer exists, and WebDirect does not support mobile devices.
      So, I set up an alternative server using FM12.
      A lot of guys that I don't have contact details for, used that IWP based system to upload golf scores. So I don't have a way to tell them all the new URL.
      Using the old IWP URL, you are presented with a screen that says "The requested page is not found. Check the URL you are using to access FileMaker WebDirect."
      I want to edit that page to add some additional information telling them the new URL etc. But I can't find any document with that content in any FM Server folder or sub folder. 
      Anyone know where I can find it ?
    • By cchaski
      Hi, I have a databse hosted in IWP that uses Supercontainer for people to upload documents. The process works fine when I use FMPA 12 to access the hosted database, but when I go through the web browser (the IWP approach), the process does not work. A button "Upload Doc" calls a script that goes to the upload layout, generates the SC id code for the record, shows the webviewer with upload and delete buttons. This works fine when I am using FMP to access the database, but this does not work when I use IWP. When I click the button in IWP, nothing happens. Any ideas?? Thanks in advance!
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.