Script security review checklist for FileMaker solutions

Expert

Audit FileMaker scripts for injection vulnerabilities, privilege escalation paths, exposed credentials, and unsafe user-input handling before deployment.

What you'll learn

  • How to audit ExecuteSQL calls for injection vulnerabilities
  • How to identify RunWithFullAccess scripts that lack authorization checks
  • How to detect hard-coded credentials and API keys in script text
  • How to sanitize user input before passing it to Insert from URL
  • How to review script parameters for injection risks

FileMaker solutions that accept user input, call external APIs, or run scripts with elevated privileges carry security risks that are easy to overlook. A pre-deployment security review covers the most common attack surfaces: SQL injection in ExecuteSQL, privilege escalation via RunWithFullAccess, hard-coded credentials in script text, and user input passed directly to Insert from URL or Open URL.

1/4
1

Audit ExecuteSQL for injection

ExecuteSQL is vulnerable to SQL injection if user-provided values are concatenated directly into the SQL string. Always use parameterized queries -- pass dynamic values as additional arguments after the column/row separators rather than embedding them in the SQL string.

FileMaker Script
# VULNERABLE: user input concatenated into the SQL string
Set Variable [ $sql ; Value:
  "SELECT * FROM Contacts WHERE Email = '" & $userInputEmail & "'"
]
Set Variable [ $result ; Value: ExecuteSQL ( $sql ; "," ; "|" ) ]
# A user entering: ' OR '1'='1
# would return ALL contacts

# SAFE: parameterized query
Set Variable [ $result ; Value:
  ExecuteSQL (
    "SELECT ContactID, FullName FROM Contacts WHERE Email = ?" ;
    "," ; "|" ;
    $userInputEmail
  )
]
# The ? placeholder is never interpreted as SQL -- the value is passed safely
Debugging advanced FileMaker script issuesBack to Scripting

Sign in to track your progress and pick up where you left off.

Sign in to FM Dojo