Safe Mode Operation
Some of the more powerful features of Reportico include the ability for report designers to include SQL statements and custom source code within the report definition. While this allows manipulation of data prioir to reporting and the ability to write reports which perform SQL updates, this raises a number of security issues. Depending on the security configuration of the Web Server and the database permissions of the connecting user, this has the potential to allow anyone with access to the report design mode to remove data or files. This is of particular importance where Reportico is installed on a public website with no access control. The designer has the ability to run in Safe mode which prevents use of the report assignments, pre-execution queries and custom source code features.
By default, the report designer does not run in safe mode so if you are working in an insecure area then you should consider turning this on. Safe mode is configured on a report project basis. Each project created by the Administration page will have Safe mode off, so you will need to turn this feature on if so desired each time you create a project.
In order to turn on this feature for a project, you will need to enter the Configure Project option and unclick the Safe Mode check box. Alternatively modify the project config.php found below the main Reportico installation area under the projects folder and set the parameter SW_SAFE_DESIGN_MODE to false. Now you will able to change the Custom Source Code, Column Assignments and Pre-Execute SQLs for reports in the relevant project. You may like to temporarily change this value while designing reports or you could maintain two copies of reportico, one for designing and one for public use in safe mode. The designed report project folders may then be copied over to the safe area.
General Security Guidelines
Like all other PHP database applications, especially where Reportico is publicly available, appropriate security measures should be adopted as follows :-
- Control access to Reportico through web server user control such as Apache .htpasswd files.
- Configure Reportico projects to access databases through users with a minimum level of security.
- Provide adequate system permissions to control access to the file system.