[FX.php List] Stupid Find Question

Vinnie P. Taranto vinniept at dso.ufl.edu
Fri Jan 7 14:51:15 MST 2005


I was just working on my fx.php and filemaker 6 unlimited solution and found something interesting with using 'eq' or "=" or "==" in FMFinds on critical text fields like usernames and passwords. I've found appending "==" or appending "=" in conjunction with 'eq' allows wildcard searches which is very dangerous on user level controlled sites. It reminds me of an SQL injection vulnerability a while back.
 
Does anybody have any other do's or don'ts on username/passwords fields/finds. I think it was Chris Hansen who suggested turning on indexing and setting it to ASCII for password fields to be able to use special characters I think (thanks Chris). I just figured better to ask here than find out someone's entered t* as the password and logged in to a mission critical app. Thanks.

________________________________

From: fx.php_list-bounces at mail.iviking.org on behalf of DC
Sent: Mon 12/20/2004 1:43 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] Stupid Find Question



The way I understand it (and what I have seen on the web database by
doing a Find Again and looking at what is sitting in the field) the 'eq'
parameter wraps the data sent to the find request like so:

data sent to FX:
$request->AddDBParam ('num_serial', '100', 'eq');

resulting string sent to filemaker field find request:
="100"

When you do a search with the equals sign, you don't get 1000 or 10000,
you just get 100.

Correct me if your tests show anything different.

Not sure if you know this, but a neat trick to get the even stricter ==
  find request to work is to prepend the equals sign to the search term
and use the 'eq' param.

$strict_eq_search = '=' . '100';
$request->AddDBParam ('num_serial', $strict_eq_search, 'eq');

This allows you to do what filemaker calls 'Field content match' as
opposed to the 'eq' param which only does a (so-called) 'Exact match'.

I'm using an older FX version, has field content match been added as a
paramter option to a new version?

Best,
dan

Milos Vukotic wrote:
> I would guess that you'll get for $num_ser = 1
> all this records:
> 1,11,12,13..,101,...,1000,...,10000,...
>
> Cheers,
> Milos Vukotic
>
> DC wrote:
>
>> I've gotten this code to work without a problem:
>> foreach ($FK_array as $num_ser)
>> {
>>     $request->AddDBParam ('num_serial', $num_ser, 'eq');
>> }
>>
>> // tell FMP/FX to do an OR search
>> $request-> AddDBParam ('-lop', 'or');
>> // call the find action
>> $result_array = $request-> FMFind();
>>
>> Another thing to check is make sure that you're talking to the right
>> layout (one that has the fields you wish to search on). I see 401
>> errors all the time when I make a typo in the layout name.
>>
>> DC
>>
>> Marisa Smith wrote:
>>
>>> OK, I KNOW I should know how to do this, but I can't figure it out
>>>
>>> I need to find all records whose unitid=15  OR  whose
>>> unitid=20
>>>
>>> In Filemaker client, I can do this with a 'new request', but I don't
>>> know
>>> the equivalent in XML.  I tried this:
>>>
>>>     $AAHRPPDocQuery->AddDBParam("unitid","15");
>>>     $AAHRPPDocQuery->AddDBParam("-lop","or");
>>>     $AAHRPPDocQuery->AddDBParam("unitid","20");
>>>
>>> But I end up with an error 401.
>>>
>>> What am I missing here?  Or am I trying to do the impossible?
>>>
>>> Thanks!
>>> Marisa
>>> ---------------------------------------------------------------------
>>> Marisa Smith, President
>>> DataSmith Consulting, LLC
>>> 667 Kuehnle Street
>>> Ann Arbor, MI 48103
>>> Phone & Fax: (734) 369-3001
>>> Cell: (734) 834-2638
>>> http://www.datasmithconsulting.net
>>> Filemaker Solutions Alliance Associate Member
>>>
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 7751 bytes
Desc: not available
Url : http://www.iviking.org/pipermail/fx.php_list/attachments/20050107/39e487bc/attachment-0001.bin


More information about the FX.php_List mailing list