I am currently working with FileMaker and their PHP API, and I have to search, insert and update database entries from a website.
I just have a quick question really. Is there any specific security issues I should be concerned about whilst working with the FileMaker Database as I don’t believe it uses SQL as a backend language so there would be no SQL Injections and things like that.
Obviously I sanitize all data for HTML and any arbitrary code, but is there anything I should be weary of for things like SQL injections but for FileMaker?
All answers would be welcome.
FileMaker PHP API uses FileMaker Server’s XML backend, which only accepts GET and POST requests in known format. I don’t think there’s a way to send something malicious.
There could be a way to bypass your PHP layer and access the XML backend directly. If this is a problem, it should be solved on both PHP and FileMaker levels. E.g. one way is to create a special account for web access and only give the password to the PHP app. (This implies you don’t need personalized web access or have a special scenario for it.) If this doesn’t work, there’s a number of other options: one can restrict access to layouts and fields, mark layouts as read-only, or use FileMaker scripts to do custom checking and completely hide what is going on.