dynamic login via API for PHP

[filemakeruser11-IT]

Dear Sirs,

I am new to php, therefore I have an important question that I hope some of he gurus here will help me to make clear!

this is the situation:

1. I have a full filemaker database that I would use to build an ecommerce website;

2.For each customer,in filemaker database, I have created a login and a password,to which are assigned diferent privileges and extended privileges sets;this helps me to have a great control over what each customer category can or cannot do, see or not see(eg.I set up privileges in a way that a customer can see only the orders that he had created;i though that this was a better solution instead of retreiving via php related records;what do you think?)

3.I connect to filemaker database using filemaker server,(for now,testing it on local server);

the filemaker object contructor tells to specify a username and a password as follows:

new FileMaker('DatabaseName', NULL, 'username', 'password');

My intention would be allowing to each customer to log in using their login and password that are stored in the filemaker database;

here is my question about API FOR PHP:

a.Is it possible,instead of specifying username and password in the constructor,to pass them dinamically,taking those value from two text input fields called login and password?

b.And it is possible to make it directly in the index.php page,instead of doing it in a login page?

In filemaker API for PHP documentation I have not found any example or explanation of it.

I hope that someone can give me an anwer, maybe showing a piece of code.

Thanks in advance for the help!

Stefano from Italy

[Genx]

2) I'm not sure restricting in that way will work, though to be honest I haven't tried it. What I would think would happen is that all records would be retrieved and you would simply have restricted access on various records. I personally would prefer doing this via PHP rather than attempting to rely on the FileMaker security system which is hard to use for a lot more than layout limitation in this case.

Anyway, feel free to give that a go and let me know how it turns out.

.. Then again, you would still have to run a FindAllCommand vs. constructing a very basic find request so even if it did work I'm not sure I would see the benefit in going through that amount of trouble.

a. new FileMaker('DatabaseName', NULL, $_SESSION['username'], $_SESSION['password']); would work fine. If you don't know what a session is just google it - essentially though its a way of temporarily storing data on the server for a particular person using your site over various pages.

Not sure i understand that question

[filemakeruser11-IT]

Dear Sir,

thanks for your really quick reply!

your reply gave me the idea of what I should look for to solve this problem about logging in dinamically. thanks a lot.I will google more about it.

I have a question about username and password to be sent to the customer to login dinamycally:

to access a filemaker database, not considering the guest account,I have always to enter a username and an password,which are stored and encrypted inside the filemaker datadase.

Thi means that If I will have 1,000 customers, I will have to create, Inside filemaker, 1000 accounts with its own proper username and password.

Therefore I must send by email to each customer the unique filemaker login an password,that I have created and are stored in filemaker,allowing them to access the database.

it is the correct way to proceed?

thanks again!

stefano

[Genx]

Well you can do it that way, but i find that it unecessarily clutters the FM security Schema.

I personally prefer to store the username and an encrypted version of the password (encrypted via php) within a standard FileMaker table. It makes management of all the accounts a lot easier and allows you to automate various things like password recovery etc. if you wanted.

[LaRetta]

prefer to store the username and an encrypted version of the password (encrypted via php) within a standard FileMaker table.

Wow, Alex. Can you explain why this is safe? We are told repeatedly never to store passwords within FM. If it makes password retrieval easier for you, might it not make it easier for others as well?

Is it safe because Users are online and separate from the FM file? I'm sure you have your reasons and I just want to understand it. :wink2:

Edited October 25, 2007 by Guest

[Genx]

Okay firstly to clear up:

This is one way encryption, the password cannot be decrypted (so if the database is stolen, the passwords can't be retrieved, actually even the owner of the db wouldn't be able to tell what the password is), nor does the user have access directly to the FM interface - they are only ever given access to whatever you provide in PHP - i.e. you build your own security model because the communication is essentially:

User -> Browser -> PHP -> FileMaker -> PHP -> HTML -> Browser -> Output

The PHP -> FileMaker -> PHP section is the critical bit - you control and can alter anything the user provides, and likewise you output whatever you want.

Here's how it works:

1) The user creates their account via php and specifies a password

2) The password is encrypted using a one way encryption algorithm using their username and maybe some static key as the salt (the key that add's some extra randomness to the encryption algorithm). E.g. crypt(password,username) - the reason we need the salt is to guarantee the same hash is to make it just that little bit more secure e.g. crypt("person","a") might always return 56adsf5621a521b84ahGASasfg

3) When we want to "log the user in" we are not actually loging them into FileMaker. We simply run a check to see if the username and the result of the crypted password using the provided username as the salt match the username and the crypted password in the database

4) If there is a matching record, a session is initiated on the server - all this does is tells us that the user has provided valid credentials to have access to our system.

I just want to stress that the username and password have no real relevance in relation to accessing the core FileMaker system. They are only used to confirm that the user is infact allowed access to your web based system, for which you have in a sense created your own security system because you are limiting what information if any is ever given to the end user on the other side of that browser.

PS sorry if my explanation sucks.

[LaRetta]

I think you explained it pretty well; that you aren't using it to access the FM file itself. Thanks! :waytogo: