Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

web companion 'entry only' backdoor

thecaptainkirk

By thecaptainkirk
in Security Concepts

 Share

This topic is 8517 days old. Please don't post here. Open a new topic instead.

Recommended Posts

  • Newbies
thecaptainkirk Newbie

thecaptainkirk

Posted
  • Newbies
Posted

I'm building a school volunteer database that I want to web enable. It's accessible to everyone.

Web Companion enables setting up a FMPro 5 database for "entry only". This is very easy and works great with newer browsers which support CSS (Cascading Style Sheets).

A user is directed to enter data into a web-enabled form, a new record is automatically generated. When the submit button is pressed, the results are sent to the database, and the results of that record are displayed in a form for review by the user. ONLY the entered form for that user has submitted is viewable.

However, when an older browser is detected, the Web Companion automatically delivers a new record in a less elegant display. So far, so good. When the user completes the form and presses SUBMIT, the form is sent to the database which responds with the completed form and the user's record PLUS a full search capability to review "previous records". UH-OH!

In ENTRY ONLY mode the user should NOT be able to view previous records.

Thisproblem would seem to be with Web Companion, since it disables the other records in CSS mode, but doesn't capture the "entry only" mode select for non-CSS.

I've wrtten a Javascript on the main redirect into the DB form to sort out the browsers and deliver the first page. Do I now have to do a CDML page for the nonCSS browsers?

And, the 64 cent question (hey, it's for a school) How do I make sure that after I "submit" the response is just the record data and not all the records?

Thanks

Anatoli Grand Master

Anatoli

Posted
Posted

You are probably using Instant Web Publishing. Did you think about the Custom Web Publishing?

Nobody I know is using Instant Publishing and Instant Coffee wink.gif" border="0

  • Newbies
thecaptainkirk Newbie

thecaptainkirk

Posted
  • Author
  • Newbies
Posted

Yes, I have considered custom web - but it's a volunteer site (I'm also one of the volunteers) and I was trying to get away with quick and easy one day project rather than a week of debugging tags.

Normally I use FMP 5 for relational db for my business's prospects, customers, vendors, expense reports, projects, timecards and other accounting remote entry and reporting. It eliminates lots of headaches. Since I know everyone's IP address and browser, I don't have this problem.

Also, CDML tool does not come with FPM5 unlimited CD-ROM. I had to search it out on FM webwsite to try it out.

The real issue appears to be how to SUBMIT and get a return which does not have ability to see any other record.

CraigH Rookie

CraigH

Posted
Posted

Kirk,

If you come up with a solution, please post it here. I was happy as a lark yesterday with my own "submit only" form until I discovered this same FMP "gottcha" while testing with an older browser. This is unbelieveable that Filemaker would permit this security hole.

Anatoli Grand Master

Anatoli

Posted
Posted

quote:
Originally posted by CraigH:

Kirk,

If you come up with a solution, please post it here. I was happy as a lark yesterday with my own "submit only" form until I discovered this same FMP "gottcha" while testing with an older browser. This is unbelieveable that Filemaker would permit this security hole.

What "security hole"?

[ July 09, 2001: Message edited by: Anatoli ]

CraigH Rookie

CraigH

Posted
Posted

The "security hole", from above:

" When the user completes the form and presses SUBMIT, the form is sent to the database which responds with the completed form and the user's record PLUS a full search capability to review "previous records". UH-OH!

In ENTRY ONLY mode the user should NOT be able to view previous records.

Anatoli Grand Master

Anatoli

Posted
Posted

quote:
Originally posted by CraigH:

The "security hole", from above:

" When the user completes the form and presses SUBMIT, the form is sent to the database which responds with the completed form and the user's record PLUS a full search capability to review "previous records". UH-OH!

In ENTRY ONLY mode the user should NOT be able to view previous records.

I met only "back door" left open by programmers. So if someone is programming that way, it is his/hers way of doing things.

I've found FM to be not better, but not worst than any other systems.

How you can search something, when I will not program the search as an author?

  • 4 weeks later...
Arin Community Regular

Arin

Posted
Posted

Kirk if you really don't have time to learn the CDML then I would just use a Java redirect as you've mentioned, and build a static html page that tells users to upgrade. Give 'em a link to netscape, and a link to Microsoft, and call it done.

(Netscape's on version 6.1 now, it's probably time for an upgrade anyway smile.gif" border="0 )

CDML would allow you to build a much more precise, and elegant solution, but time is time.

-A

This topic is 8517 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept