web companion 'entry only' backdoor

[thecaptainkirk]

I'm building a school volunteer database that I want to web enable. It's accessible to everyone.

Web Companion enables setting up a FMPro 5 database for "entry only". This is very easy and works great with newer browsers which support CSS (Cascading Style Sheets).

A user is directed to enter data into a web-enabled form, a new record is automatically generated. When the submit button is pressed, the results are sent to the database, and the results of that record are displayed in a form for review by the user. ONLY the entered form for that user has submitted is viewable.

However, when an older browser is detected, the Web Companion automatically delivers a new record in a less elegant display. So far, so good. When the user completes the form and presses SUBMIT, the form is sent to the database which responds with the completed form and the user's record PLUS a full search capability to review "previous records". UH-OH!

In ENTRY ONLY mode the user should NOT be able to view previous records.

Thisproblem would seem to be with Web Companion, since it disables the other records in CSS mode, but doesn't capture the "entry only" mode select for non-CSS.

I've wrtten a Javascript on the main redirect into the DB form to sort out the browsers and deliver the first page. Do I now have to do a CDML page for the nonCSS browsers?

And, the 64 cent question (hey, it's for a school) How do I make sure that after I "submit" the response is just the record data and not all the records?

Thanks

[Anatoli]

You are probably using Instant Web Publishing. Did you think about the Custom Web Publishing?

Nobody I know is using Instant Publishing and Instant Coffee

[thecaptainkirk]

Yes, I have considered custom web - but it's a volunteer site (I'm also one of the volunteers) and I was trying to get away with quick and easy one day project rather than a week of debugging tags.

Normally I use FMP 5 for relational db for my business's prospects, customers, vendors, expense reports, projects, timecards and other accounting remote entry and reporting. It eliminates lots of headaches. Since I know everyone's IP address and browser, I don't have this problem.

Also, CDML tool does not come with FPM5 unlimited CD-ROM. I had to search it out on FM webwsite to try it out.

The real issue appears to be how to SUBMIT and get a return which does not have ability to see any other record.

[CraigH]

Kirk,

If you come up with a solution, please post it here. I was happy as a lark yesterday with my own "submit only" form until I discovered this same FMP "gottcha" while testing with an older browser. This is unbelieveable that Filemaker would permit this security hole.

[Anatoli]

quote:

---

Originally posted by CraigH:

Kirk,

If you come up with a solution, please post it here. I was happy as a lark yesterday with my own "submit only" form until I discovered this same FMP "gottcha" while testing with an older browser. This is unbelieveable that Filemaker would permit this security hole.

---

What "security hole"?

[ July 09, 2001: Message edited by: Anatoli ]

[CraigH]

The "security hole", from above:

" When the user completes the form and presses SUBMIT, the form is sent to the database which responds with the completed form and the user's record PLUS a full search capability to review "previous records". UH-OH!

In ENTRY ONLY mode the user should NOT be able to view previous records.

[Anatoli]

quote:

---

Originally posted by CraigH:

The "security hole", from above:

" When the user completes the form and presses SUBMIT, the form is sent to the database which responds with the completed form and the user's record PLUS a full search capability to review "previous records". UH-OH!

In ENTRY ONLY mode the user should NOT be able to view previous records.

---

I met only "back door" left open by programmers. So if someone is programming that way, it is his/hers way of doing things.

I've found FM to be not better, but not worst than any other systems.

How you can search something, when I will not program the search as an author?

[Arin]

Kirk if you really don't have time to learn the CDML then I would just use a Java redirect as you've mentioned, and build a static html page that tells users to upgrade. Give 'em a link to netscape, and a link to Microsoft, and call it done.

(Netscape's on version 6.1 now, it's probably time for an upgrade anyway )

CDML would allow you to build a much more precise, and elegant solution, but time is time.

-A

[Arin]

Too bad FMP didn't build a "Blue and Gold 2" Style version of the "Entry Only"