FP Web

Jose Lerebours fpgroups at gmail.com
Mon Jul 8 11:10:31 PDT 2019 

Who was it that said: You must first sign the bill to know what is in 
the bill?  and whatever happened with that?   !??!!  ;-)



On 7/8/19 11:37 AM, Richard Kreiss wrote:
> I am just now wondering if the FP Web is tied into MySQL download? Or is it a new front end for filePro replacing the FPGUI product?
>
> It would be nice if there were some screen shots of the product on the FP TECH web-site (and a place to register for the conference).
>
> Richard Kreiss
> GCC Consulting
>
> -----Original Message-----
> From: Filepro-list <filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com> On Behalf Of Jose Lerebours via Filepro-list
> Sent: Monday, July 8, 2019 6:14 AM
> To: filepro-list at lists.celestial.com
> Subject: Re: FP Web
>
>
> On 7/8/19 12:30 AM, Fairlight via Filepro-list wrote:
>>> Per injections, well, that has nothing to do with the back-end
>>> binaries but with the way the programmer writes his/her code.  Of
>>> course, if fileProWeb does not provide means to sanitize data, we
>>> then have a totally different subject.
>> Not actually true, in the case of fpcgi 1.x and the default for 2.x.
>> The whole concept of putting the command-lines as hidden fields was
>> ill-conceived, to put it as politely as possible.  Even after they
>> were made aware of the ramifications, they only provided an
>> alternative server-side only methodology for 2.x, but kept the
>> client-side methodology as the default.  Allegedly for purposes of
>> backwards compatibility.  I don't even think the alternative was
>> widely communicated.  So yes, injections -were- an issue with fpcgi,
>> just not in the conventional SQL injection context.  Worse, honestly,
>> since you could inject entire arbitrary commands.  It was an issue
>> even on Windows.  There were also multiple different characters to use
>> to trigger it.  They eventually fixed it, but that was -not- a good demonstration of security awareness.
>>
>> Then there was the makedir suid root hidden-password bypass at a
>> system level, if you had any system shell access and could access the
>> path to the binary.  Don't start me.
> The way I see it,
>
> (1) if "system" commands are needed to get to the data, then it is not a "native" solution; I stick to what I already know and works.
> (2) It needs to have ability to run cURL and WSDL construct for data sharing (IN/OUT)
> (3) It needs to have ability to use input in GET and POST modes
>
> Being an old school developer, I can live with procedural architecture but OOP is where it should be.  I want to believe that they have hacked an open source binary like PHP, Perl or Python and made it their own, one where your typical filePro commands work:
>
> lookup alias = fileName i=A k="Hello World!"
>
> This would be the equivalent of a SQL query
>
> SELECT * FROM fileName WHERE keyField = "HelloWorld!"
>
> Then I can proceed to parse through the array object returned by the lookup/SELECT command without having to break out to a shell using "system".
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190708/eff573e9/attachment.html>
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list

More information about the Filepro-list mailing list