[FX.php List] Stupid Find Question

Vinnie P. Taranto vinniept at dso.ufl.edu
Wed Jan 12 13:43:56 MST 2005 

I was thinking more about username and password authentications and
realized if a authentication search was set up using 'eq' and there is
no character check on the input a user could enter '=*' and could then
probably be logged in. Is there a good way to check for a '=' or any
other dangerous characters (if you checked for just a '=' sign should
you check for the & ascii code for the '=' character as well). Thanks,

Vinnie
-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund
Gusland Thorsen
Sent: Sunday, January 09, 2005 5:31 AM
To: FX.php Discussion List
Subject: Re: [FX.php List] Stupid Find Question

It's perhaps smart to only store the sha1() string of the username and
password, instead of username and password itself?

Gjermund


On Fri, 7 Jan 2005 16:51:15 -0500, Vinnie P. Taranto
<vinniept at dso.ufl.edu> wrote:
> I was just working on my fx.php and filemaker 6 unlimited solution and
found something interesting with using 'eq' or "=" or "==" in FMFinds on
critical text fields like usernames and passwords. I've found appending
"==" or appending "=" in conjunction with 'eq' allows wildcard searches
which is very dangerous on user level controlled sites. It reminds me of
an SQL injection vulnerability a while back.
> 
> Does anybody have any other do's or don'ts on username/passwords
fields/finds. I think it was Chris Hansen who suggested turning on
indexing and setting it to ASCII for password fields to be able to use
special characters I think (thanks Chris). I just figured better to ask
here than find out someone's entered t* as the password and logged in to
a mission critical app. Thanks.
> 
> ________________________________
> 
> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
> Sent: Mon 12/20/2004 1:43 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Stupid Find Question
> 
> The way I understand it (and what I have seen on the web database by
> doing a Find Again and looking at what is sitting in the field) the
'eq'
> parameter wraps the data sent to the find request like so:
> 
> data sent to FX:
> $request->AddDBParam ('num_serial', '100', 'eq');
> 
> resulting string sent to filemaker field find request:
> ="100"
> 
> When you do a search with the equals sign, you don't get 1000 or
10000,
> you just get 100.
> 
> Correct me if your tests show anything different.
> 
> Not sure if you know this, but a neat trick to get the even stricter
==
>   find request to work is to prepend the equals sign to the search
term
> and use the 'eq' param.
> 
> $strict_eq_search = '=' . '100';
> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
> 
> This allows you to do what filemaker calls 'Field content match' as
> opposed to the 'eq' param which only does a (so-called) 'Exact match'.
> 
> I'm using an older FX version, has field content match been added as a
> paramter option to a new version?
> 
> Best,
> dan
> 
> Milos Vukotic wrote:
> > I would guess that you'll get for $num_ser = 1
> > all this records:
> > 1,11,12,13..,101,...,1000,...,10000,...
> >
> > Cheers,
> > Milos Vukotic
> >
> > DC wrote:
> >
> >> I've gotten this code to work without a problem:
> >> foreach ($FK_array as $num_ser)
> >> {
> >>     $request->AddDBParam ('num_serial', $num_ser, 'eq');
> >> }
> >>
> >> // tell FMP/FX to do an OR search
> >> $request-> AddDBParam ('-lop', 'or');
> >> // call the find action
> >> $result_array = $request-> FMFind();
> >>
> >> Another thing to check is make sure that you're talking to the
right
> >> layout (one that has the fields you wish to search on). I see 401
> >> errors all the time when I make a typo in the layout name.
> >>
> >> DC
> >>
> >> Marisa Smith wrote:
> >>
> >>> OK, I KNOW I should know how to do this, but I can't figure it out
> >>>
> >>> I need to find all records whose unitid=15  OR  whose
> >>> unitid=20
> >>>
> >>> In Filemaker client, I can do this with a 'new request', but I
don't
> >>> know
> >>> the equivalent in XML.  I tried this:
> >>>
> >>>     $AAHRPPDocQuery->AddDBParam("unitid","15");
> >>>     $AAHRPPDocQuery->AddDBParam("-lop","or");
> >>>     $AAHRPPDocQuery->AddDBParam("unitid","20");
> >>>
> >>> But I end up with an error 401.
> >>>
> >>> What am I missing here?  Or am I trying to do the impossible?
> >>>
> >>> Thanks!
> >>> Marisa
> >>>
---------------------------------------------------------------------
> >>> Marisa Smith, President
> >>> DataSmith Consulting, LLC
> >>> 667 Kuehnle Street
> >>> Ann Arbor, MI 48103
> >>> Phone & Fax: (734) 369-3001
> >>> Cell: (734) 834-2638
> >>> http://www.datasmithconsulting.net
> >>> Filemaker Solutions Alliance Associate Member
> >>>
> >>>
> >>> _______________________________________________
> >>> FX.php_List mailing list
> >>> FX.php_List at mail.iviking.org
> >>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>
> >> _______________________________________________
> >> FX.php_List mailing list
> >> FX.php_List at mail.iviking.org
> >> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
>
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list