5.4 Security on the Web

5.3 Performing Scripts on Web-Published Databases

If you grant permission to perform a -script with an action, there are some serious considerations listed here. Script steps that pause and wait for response will not display a dialog or button through the web browsers. Script steps that are meant to display a dialog and await data entry will not display through the web browser. If the Perform without dialog option is selected, some script steps may work in web-published databases. Script steps that perform file- or machine-specific actions may be useful to web-published databases but provide unpredictable results if not thoroughly tested. Tables 5.2 through 5.5 group some of the script steps by interaction requirements and provide additional suggestions for their use or non-use. Heed the advice for securing your scripts if you must use them. You can read more about script security in the "Script Security" section later in this chapter.

Table 5.2: Script steps that pause or require dialog response

Pause/Resume Script []

Break your script steps into separate actions and get a response from the browser through a link or form submission.

Enter Browse Mode [Pause]

This may be helpful from the database perspective to restore it to a state that is helpful to web publishing. If this script step is used, do not select the Pause option.

Enter Find Mode [Pause]

Use a web form to allow entry of search criteria and use the action -find in the submit button.

Enter Preview Mode [Pause]

You could have a separate web display page for printing. Instruct the user to print manually with the browser commands.

Insert From Index []

Do not use this script step, because it must pause to allow the index of a field to be displayed.

Insert Movie []

Do not use this script step, as it displays the Mac OS Open dialog box to select a Quick Time movie.

Insert Quick Time []

Do not use this script step, as it displays the Windows Open dialog box to select a Quick Time movie.

Insert Picture []

Do not use this script step, because it displays the Open file dialog box.

Insert Object []

This script step may work on Windows if all the parameters are preconfigured.

Change Password []

Use a login and registration process to track passwords. This script step uses a dialog box that does not display on the web.

Recover []

This is a file-level script step that can cause severe damage. Do not use it in any script.

Spelling

Do not use any of the spelling script steps, as they may require a dialog box. These steps are Check Selection, Check Record, Check Found Set, Correct Word, Spelling Options, Select Dictionaries, and Edit User Dictionary.

Preferences and developer dialogs

There should be no need to use these script steps in webpublished databases. Each of these use a dialog, which does not display in the web browser: Open Application Preferences, Open Document Preferences, Open Define Relationships, Open Define Value Lists, Open ScriptMaker, and Open Sharing.

Show Message []

This script step is often used as a branch to different actions based upon the buttons selected. You can provide these choices with HTML forms or links.

Table 5.3: Script steps that require "Perform without dialog"

Sort []

Web Companion includes two parameters for use with an action. -sortfield and -sortorder are discussed in the "Sorting Parameters" section in this chapter. However, if this script step does not require user response, it can safely be used with web-published databases.

Print Script steps

Print Setup (Windows), Page Setup (Mac OS), and Print [] all could require user response. If you enable the "Perform without dialog", where would this report be printed? If you have a printer connected to your computer serving web-published databases, it might function as expected. Test this before relying upon this script step in web-published databases.

Revert Record/ Request []

The stateless nature of the World Wide Web practically negates the need for this script step. Transactions are not complete until the user submits a form or follows another link.

Delete All Records []

Used wisely, with security measures and avoiding a dialog, this script step may be necessary to remove a found set of records from a web-published database. The -delete action in Web Companion only works with whichever record ID (-recid) is specified in the request.

Replace []

Dangerous, at best, on a networked system, this script could take exceeding long for the web user if requested.

Relookup []

This may not function as expected if used with web-published databases.

Dial Phone []

This will send a signal through the serial/phone port to dial the number. When the script is executed on the computer serving as a web publisher, it will show a dialog pausing even with Perform without dialog selected.

Open URL []

Sending an Open URL request by script may not reconnect back to web-published database pages. Rather than relying upon this script step, use a field in the database with the URL and format the resulting web page to contain the field contents in an anchor or a link. See the "Hyperlinks and Anchors" section of Chapter 6 for more information about anchors and links.

Import/Export Records []

This script step works off the local machine, not the server, if you are web publishing the databases. This may be advantageous to web-published databases if you have file control with a plug-in. The path to an exported file can be used in a hyperlink to allow the user to download the file. The path must be relative to the page with the link or an absolute path. Use this set with great care. Remember that the database must have export permission to return XML results.

Execute SQL []

SQL requests may display a password dialog to ODBC data source if this has not been previously saved.

Send Mail []

This script will use the email client on the web publisher machine if one is available. The -mailto parameter is not available with XML publishing. Use the mailto: protocol of the user's browser to send email.

Insert Current User Name []

The user name is taken from the system that is web publishing the database. It will be the same for all users. The External ("WebClientName", 0) function can be used to enter the web user if a password browser login has been used.

Allow Toolbars []

This script step has no effect on web-published databases.

Toggle Window []

The database window will toggle, but the step does not affect the browser window.

Table 5.4: File actions requiring passwords or not allowed

New []

This script step will create a new database, and may display a dialog box. No interaction can be implemented by the web users, so do not use this script step when web publishing databases.

Open []

This step may display a dialog box requesting the location of the file to open but may be used to open a closed database.

Open Hosts []

This script step may display a dialog box to choose a file from the server. Do not use with web-published databases, but use the Open [] step, above, to open specified databases.

Close []

This may be used with web-published databases. If the file to close is not specified, this step will close the current file.

Save a Copy As []

This script step may display a dialog box but may be used carefully with web-published databases.

Exit Application

Windows command to quit FileMaker Pro.

Quit Application

Macintosh command to quit FileMaker Pro.

Table 5.5: Undesired events with these script steps

Beep

This may be performed, but the sound will be produced on the web publisher machine and not in the user's browser.

Speak []

This will be performed on the web publisher machine and not in the user's browser.

Send Apple Event (Mac OS) []

Platform-specific steps may not work as desired when requested in a -script called in an XML request.

Perform AppleScript (Mac OS) []

Platform-specific steps may not work as desired when requested in a -script called in an XML request.

Send DDE Execute (Windows) []

Platform-specific steps may not work as desired when requested in a -script called in an XML request.

Send Message (Windows) []

Platform-specific steps may not work as desired when requested in a -script called in an XML request.

Navigation

(Go to Field, Go to Layout, Go to Record, Go to Related Record) The navigation script steps may perform unpredictably when requested from a web user. Since the interface is the web browser, these steps may not be needed. The request may not complete before the next web user makes a request and halts the current script. Use the XML parameters and requests to perform any of these actions.

The following table contains script steps that may perform as expected if you have selected the Perform without dialog option when you created the script. Additional comments are also included to assist with performing these actions from a web browser.

5.31 Script Steps to Avoid in Web Publishing

  • Go to Layout can be replaced with the -lay value in the XML request.

  • Do not ask for a response to any dialog, such as Show Message[]. The web user will not see these and the database may freeze waiting for a reply. Check out DialogMagic at http://www.nmci.com/ for a plug-in method of dismissing dialog boxes.

  • Do not provide any scripts or script steps that may be developer commands (Open Define Fields or Toggle Window[Show]). Any script can be performed in an XML request. Avoid using these script steps in web-published databases for security reasons.

  • Use extreme caution when creating, editing, or deleting records or field data in script steps. These actions can all be performed with XML requests.

  • Avoid performing finds with scripts. Most of these can be accomplished with the -find action. See the section, "Script Parameters", in this chapter for information on when a scripted find is performed in relation to the -find action.

  • Do not allow any pauses in any script steps!

  • Many script steps can be used safely with the XML request. Test the results with many users to see if they work as predicted. Try to revise the way these steps could be performed with the XML actions and parameters rather than with a script.



Filemaker Pro 6 Developer's Guide to XML(s)XSL
FileMaker Pro 6 Developers Guide to XML/XSL (Wordware Library for FileMaker)
ISBN: 155622043X
EAN: 2147483647
Year: 2003
Pages: 100
Authors: Beverly Voth

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net