Do I take a risk???

[Anders]

Hello everyone

Do I expose myself to some apparent risk that I don't know of, when publishing my database on the web? I have included the possibility to add/edit/delet data via the web too.

How is my database setup then?

I have two logins, one "No password" and one "Add". "No password" requires, guess what, no password but is restricted to a minimum of rights, Browse and Export. Add, on the other hand may do anything possible in a FmPro41-database.

I have two identical layouts, named "Layout1" and "Add", "No password" is allowed to see "Layout1" in read-only-mode, but isn't allowed to change to the Add-layout. "Add" again may do anything. When searching the database I direct everything to -lay="Layout1"

When using my add/edit/delete-form and using -lay="Add", I'm prompted for a password at login (or if I skip the login when ever I try to save to the database) with a standard two field user/password box. I need only fill in the password-field. Of course this is a risk, only using password and not both. On the other hand, wouldn't defining a password a la "98bKt3ib5&--48754yG" help if handling delicat matters?

I am aware of the closing-browser security loop hole.

My database includes a collection of Internet-links to useful sites on the web, no secret info. But I wouldn't want to have the evil empire adding spam, or deleting records.

Did I miss something dangerous?

(Tried to use the web security database, but that thing is beyond my horizon. Tried all faq's and tutorials I could find on the web, but I always met the Database not open-screen of death.)

TIA

Anders

[Kurt Knippel]

Not to panic you, but as soon as you make you database available to the web, you make your entire database available to the web. No matter what security you put into place within the system itself.

From your explanation I would assume that you have nothing to worry about from hackers. But you really do need to exercise caution when making your data available online.

If you do not need to add records online, you could simply make the database "read only" by uploading a fresh copy each night.

Now of course much of the information posted online is actually eaiser to get through analog means than it is digitally, so most people do not really need to worry that it will somehow be used.

[Anders]

Hi Kurt

I don't mind people "stealing" my data, it would flatter me. The information is available to anyone with an Internet account.

My main concern is that people might see the IP-adress, stumble on the new/edit/delete-page and start messing with my data. And yes I do need a web interface. Adding data may take place on one of many computers. We can't afford installing FmPro on all of them.

Besides I make copies of the database every day, and every night there is a server backup.

Just curious, what would you or someone else with much FmPro-experience be able to do with a database protected as described? I should have mentioned that the system runs on one machine, while the FP3-files lies on another.

Lets not drown in a discussion on what a real hacker could do to just about any system connected to the Internet. I am convinced that they could erase my whole HDD, but on the other hand I bet it's much more fun attacking Microsoft.

-Anders