[FX.php List] Stupid Find Question

Michael Layne fx at 9degrees.com
Thu Jan 13 11:43:36 MST 2005


Thanks!!!!!

I was missing the concatenation.  Also, I'm not using GET, I think I  
pasted form some other file and didn't notice.  Definitely POST .   
Thanks as always!


On Jan 13, 2005, at 1:12 PM, Chris Hansen wrote:

> Michael,
>
> Here you go (either of these would work):
>
> query->AddDBParam('email', '"' . $_GET['user'] . '"');
>
> query->AddDBParam('email', "\"{$_GET['user']}\""); // alternate example
>
> Remember that things work the same in FX.php that they would in  
> FileMaker.  So, the quotes need to be there, but you need to send them  
> in such a way that they get to FileMaker.  The second example above  
> demonstrates how you'd need to set things up if everything was within  
> the double quotes.  The curly braces help PHP to delineate a variable  
> when present INSIDE double quotes, or a heredoc text block.  The curly  
> braces ARE NOT NECESSARY, but can make your code more legible.
>
> Finally, I'd probably not send a user name and password with a GET  
> query, since the username and password appear in the URL (why use a  
> password field that protects the password from prying eyes, when the  
> password will show up in the URL on the next page...)
>
> HTH
>
> --Chris Hansen
>   creator of FX.php
>   "The best way from FileMaker to the Web."
>   www.iViking.org
>
> On Jan 13, 2005, at 9:49 AM, Michael Layne wrote:
>
>> Sorry to beat the proverbial horse, but in all this, is there an  
>> example/solution for a user to use his email address as his login  
>> (and a password for his password...)?
>>
>> user - name at domain.com
>>
>> password - password
>>
>> then...
>>
>> query->AddDBParam('email',$_GET['user']) // doesn't work
>>
>> query->AddDBParam('email',"$_GET['user']") // doesn't work.
>>
>> my workaround is stripping the '@' and doing the same in FMP.
>>
>> Thanks!
>>
>>
>>
>>
>>
>> On Jan 13, 2005, at 11:40 AM, DC wrote:
>>
>>> Hi Vinnie,
>>>
>>> Thanks for the helpful reminder about security. The general lesson  
>>> is:
>>> all input values should be validated before being passed on to FMP.
>>>
>>> Here's *one way* to restrict input data to only 1-16 alphabetical and
>>> numerical characters:
>>>
>>> $allowed_string = '/^[a-zA-Z0-9]{1,16}$/';
>>> $test_pass=preg_match($allowed_string,$my_password);
>>> if ($test_pass) {//do something here}
>>>
>>> Sorry just a code snippet, but you should be able to get the idea.  
>>> Feel
>>> free to expand the character class of your acceptable strings, but  
>>> watch
>>> out for those FMP wildcard characters like * (star), @ (at), ...
>>> (ellipsis), and ! (bang).
>>>
>>> Cheers,
>>> dan
>>>
>>> Vinnie P. Taranto had written:
>>>> I was just working on my fx.php and filemaker 6 unlimited solution  
>>>> and found something interesting with using 'eq' or "=" or "==" in  
>>>> FMFinds on critical text fields like usernames and passwords. I've  
>>>> found appending "==" or appending "=" in conjunction with 'eq'  
>>>> allows wildcard searches which is very dangerous on user level  
>>>> controlled sites. It reminds me of an SQL injection vulnerability a  
>>>> while back.
>>>>  Does anybody have any other do's or don'ts on username/passwords  
>>>> fields/finds. I think it was Chris Hansen who suggested turning on  
>>>> indexing and setting it to ASCII for password fields to be able to  
>>>> use special characters I think (thanks Chris). I just figured  
>>>> better to ask here than find out someone's entered t* as the  
>>>> password and logged in to a mission critical app. Thanks.
>>>> ________________________________
>>>> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
>>>> Sent: Mon 12/20/2004 1:43 PM
>>>> To: FX.php Discussion List
>>>> Subject: Re: [FX.php List] Stupid Find Question
>>>> The way I understand it (and what I have seen on the web database by
>>>> doing a Find Again and looking at what is sitting in the field) the  
>>>> 'eq'
>>>> parameter wraps the data sent to the find request like so:
>>>> data sent to FX:
>>>> $request->AddDBParam ('num_serial', '100', 'eq');
>>>> resulting string sent to filemaker field find request:
>>>> ="100"
>>>> When you do a search with the equals sign, you don't get 1000 or  
>>>> 10000,
>>>> you just get 100.
>>>> Correct me if your tests show anything different.
>>>> Not sure if you know this, but a neat trick to get the even  
>>>> stricter ==
>>>>   find request to work is to prepend the equals sign to the search  
>>>> term
>>>> and use the 'eq' param.
>>>> $strict_eq_search = '=' . '100';
>>>> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
>>>> This allows you to do what filemaker calls 'Field content match' as
>>>> opposed to the 'eq' param which only does a (so-called) 'Exact  
>>>> match'.
>>>> I'm using an older FX version, has field content match been added  
>>>> as a
>>>> paramter option to a new version?
>>>> Best,
>>>> dan
>>>> Milos Vukotic wrote:
>>>>> I would guess that you'll get for $num_ser = 1
>>>>> all this records:
>>>>> 1,11,12,13..,101,...,1000,...,10000,...
>>>>>
>>>>> Cheers,
>>>>> Milos Vukotic
>>>>>
>>>>> DC wrote:
>>>>>
>>>>>
>>>>>> I've gotten this code to work without a problem:
>>>>>> foreach ($FK_array as $num_ser)
>>>>>> {
>>>>>>    $request->AddDBParam ('num_serial', $num_ser, 'eq');
>>>>>> }
>>>>>>
>>>>>> // tell FMP/FX to do an OR search
>>>>>> $request-> AddDBParam ('-lop', 'or');
>>>>>> // call the find action
>>>>>> $result_array = $request-> FMFind();
>>>>>>
>>>>>> Another thing to check is make sure that you're talking to the  
>>>>>> right
>>>>>> layout (one that has the fields you wish to search on). I see 401
>>>>>> errors all the time when I make a typo in the layout name.
>>>>>>
>>>>>> DC
>>>>>>
>>>>>> Marisa Smith wrote:
>>>>>>
>>>>>>
>>>>>>> OK, I KNOW I should know how to do this, but I can't figure it  
>>>>>>> out
>>>>>>>
>>>>>>> I need to find all records whose unitid=15  OR  whose
>>>>>>> unitid=20
>>>>>>>
>>>>>>> In Filemaker client, I can do this with a 'new request', but I  
>>>>>>> don't
>>>>>>> know
>>>>>>> the equivalent in XML.  I tried this:
>>>>>>>
>>>>>>>    $AAHRPPDocQuery->AddDBParam("unitid","15");
>>>>>>>    $AAHRPPDocQuery->AddDBParam("-lop","or");
>>>>>>>    $AAHRPPDocQuery->AddDBParam("unitid","20");
>>>>>>>
>>>>>>> But I end up with an error 401.
>>>>>>>
>>>>>>> What am I missing here?  Or am I trying to do the impossible?
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Marisa
>>>>>>> ----------------------------------------------------------------- 
>>>>>>> ----
>>>>>>> Marisa Smith, President
>>>>>>> DataSmith Consulting, LLC
>>>>>>> 667 Kuehnle Street
>>>>>>> Ann Arbor, MI 48103
>>>>>>> Phone & Fax: (734) 369-3001
>>>>>>> Cell: (734) 834-2638
>>>>>>> http://www.datasmithconsulting.net
>>>>>>> Filemaker Solutions Alliance Associate Member
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> FX.php_List mailing list
>>>>>>> FX.php_List at mail.iviking.org
>>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> FX.php_List mailing list
>>>>>> FX.php_List at mail.iviking.org
>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>> -------------------------------------------------------------------- 
>>>> ----
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>
>> Michael Layne  :  9 degrees development  :  www.9degrees.com  :   
>> 404.226.7835
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

Michael Layne  :  9 degrees development  :  www.9degrees.com  :   
404.226.7835
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 7663 bytes
Desc: not available
Url : http://www.iviking.org/pipermail/fx.php_list/attachments/20050113/15e4b832/attachment-0001.bin


More information about the FX.php_List mailing list