Win32 Security

A critical security note
It is crucial that you ask your web server administrator to disable "read" access on your cgi-bin directory. If you do not disable "read" access, anybody on the internet will be able to read ALL of your database files. In addition, if you are a registered user, you should protect the registered copy of this software by disallowing "read" access so that nobody can download the software directly from your web server's cgi-bin directory. The methods to disable "read" access on your cgi-bin are discussed below:

• If your web site is hosted by a web hosting company , it is likely that you do not have much control over the access permission on your cgi-bin directories.  In this case, it is also very likely that your web hosting company is using Win2000 and Internet Information Server (IIS).  In that case, you should contact your web hosting company and ask them to enable NTFS "Read" and "Write" and disable IIS "Read", "Write" but allow "Execute" on your cgi-bin directory and all of its subdirectories.  The NTFS (local file system) "read/write" is needed because POD needs to be able to read and write the local files under your cgi-bin directories; The IIS (web server) "read/write" is disabled because you do not want any user on the web to be able to read the contents of the files in your cgi-bin directory.  You should try very hard to urge your web server administrator to do this as early as possible.  There is no reason why your server administrator should refuse such a request.  If your server administrator is plain incompetent, then a desparate last resort for you could be: set "hide=1" in the fldb.ini configuration file (option 5 in File Options Configuration ). This way POD willsuccessfully disallow "read" on DB files (but not the software itself) on some (BUT NOT ALL!) Win32 web servers.  However, this method could induce other problems and is not recommended unless your server administrator refuses to set permission for you.
• If you are running your own web server , here's what you should do:
  If your OS is NT/Win2000, enable NTFS "Read" and "Write" for reason listed above.  This is not needed for Win95/98.
  Then, if are running Microsoft Internet Information Server, Microsoft Peer Web Service (which comes with NT4.0 CD), Microsoft Personal Web Server etc., disable "read" access on cgi-bin and its subdirectories. Therefore what you (or your web server administrator) need to do is to launch the web server administration manager, look at the access setting of the cgi-bin directory of the web server, then set the access setting to enable "execute", enable "scripts", disable "read" (you'll need to check the checkboxes "execute" "scripts" to enable them, and uncheck "read" to disable it).
  For other Unix-styled security configuration web servers, such as Sambar Web Server (a free/$75 web server that is very feature-rich and relatively easy to use), Apache (free, its Windows version is hard to use) or O'Reilly's WebSite Pro Server, etc., here is what I found/remembered that you need to do: For Apache, in their cgi-bin directory, your DB file is usually safe (because by default apache take any requests for file in the cgi-bin directory as a command to execute that file.  Because of this, when you try to download the DB text or html file, the server gives you an error as those DB files cannot be executed) yet it is still advisable that you disable "read" access on cgi-bin and its subdirectories (see below for Sambar). For WebSite Pro, you need to set order "allow, deny" and "deny all" or allow only a selected group of users or groups to access the directory (same method applies to Apache too). For Sambar server, you want to put a .htaccess file under cgi-bin and its subdirectories. In that file, you specify the name of a zone, then restriction. For example, that .htaccess file can look like this after you created user "test":
  AuthName "Authorized Only"
  require user test
  Apache can use .htaccess file to disable access to its directories too.
• To test whether the access permissions are correctly set on your cgi-bin directory and its subdirectories:
  You can test if "read" access is disallowed by trying to access the DB file through its URL.  If the URL of your web server's cgi-bin directory is http://myserver.com/cgi-bin, and you DB is under fldb subdirectory, then your DB initiation (configuration) file URL is http://myserver.com/cgi-bin/fldb/fldb.ini. Just type this URL into your web browser and see what happens. If you get "read access forbidden", then your files are safe from peeping eyes.  If, instead, your web browser starts to download the file or even displays its content, you know your DB is in danger. Please contact your administrator as soon as possible then!!.