[FX.php List] Stupid Find Question

Gjermund Gusland Thorsen ggt667 at gmail.com
Sun Jan 9 03:30:40 MST 2005


It's perhaps smart to only store the sha1() string of the username and
password, instead of username and password itself?

Gjermund


On Fri, 7 Jan 2005 16:51:15 -0500, Vinnie P. Taranto
<vinniept at dso.ufl.edu> wrote:
> I was just working on my fx.php and filemaker 6 unlimited solution and found something interesting with using 'eq' or "=" or "==" in FMFinds on critical text fields like usernames and passwords. I've found appending "==" or appending "=" in conjunction with 'eq' allows wildcard searches which is very dangerous on user level controlled sites. It reminds me of an SQL injection vulnerability a while back.
> 
> Does anybody have any other do's or don'ts on username/passwords fields/finds. I think it was Chris Hansen who suggested turning on indexing and setting it to ASCII for password fields to be able to use special characters I think (thanks Chris). I just figured better to ask here than find out someone's entered t* as the password and logged in to a mission critical app. Thanks.
> 
> ________________________________
> 
> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
> Sent: Mon 12/20/2004 1:43 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Stupid Find Question
> 
> The way I understand it (and what I have seen on the web database by
> doing a Find Again and looking at what is sitting in the field) the 'eq'
> parameter wraps the data sent to the find request like so:
> 
> data sent to FX:
> $request->AddDBParam ('num_serial', '100', 'eq');
> 
> resulting string sent to filemaker field find request:
> ="100"
> 
> When you do a search with the equals sign, you don't get 1000 or 10000,
> you just get 100.
> 
> Correct me if your tests show anything different.
> 
> Not sure if you know this, but a neat trick to get the even stricter ==
>   find request to work is to prepend the equals sign to the search term
> and use the 'eq' param.
> 
> $strict_eq_search = '=' . '100';
> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
> 
> This allows you to do what filemaker calls 'Field content match' as
> opposed to the 'eq' param which only does a (so-called) 'Exact match'.
> 
> I'm using an older FX version, has field content match been added as a
> paramter option to a new version?
> 
> Best,
> dan
> 
> Milos Vukotic wrote:
> > I would guess that you'll get for $num_ser = 1
> > all this records:
> > 1,11,12,13..,101,...,1000,...,10000,...
> >
> > Cheers,
> > Milos Vukotic
> >
> > DC wrote:
> >
> >> I've gotten this code to work without a problem:
> >> foreach ($FK_array as $num_ser)
> >> {
> >>     $request->AddDBParam ('num_serial', $num_ser, 'eq');
> >> }
> >>
> >> // tell FMP/FX to do an OR search
> >> $request-> AddDBParam ('-lop', 'or');
> >> // call the find action
> >> $result_array = $request-> FMFind();
> >>
> >> Another thing to check is make sure that you're talking to the right
> >> layout (one that has the fields you wish to search on). I see 401
> >> errors all the time when I make a typo in the layout name.
> >>
> >> DC
> >>
> >> Marisa Smith wrote:
> >>
> >>> OK, I KNOW I should know how to do this, but I can't figure it out
> >>>
> >>> I need to find all records whose unitid=15  OR  whose
> >>> unitid=20
> >>>
> >>> In Filemaker client, I can do this with a 'new request', but I don't
> >>> know
> >>> the equivalent in XML.  I tried this:
> >>>
> >>>     $AAHRPPDocQuery->AddDBParam("unitid","15");
> >>>     $AAHRPPDocQuery->AddDBParam("-lop","or");
> >>>     $AAHRPPDocQuery->AddDBParam("unitid","20");
> >>>
> >>> But I end up with an error 401.
> >>>
> >>> What am I missing here?  Or am I trying to do the impossible?
> >>>
> >>> Thanks!
> >>> Marisa
> >>> ---------------------------------------------------------------------
> >>> Marisa Smith, President
> >>> DataSmith Consulting, LLC
> >>> 667 Kuehnle Street
> >>> Ann Arbor, MI 48103
> >>> Phone & Fax: (734) 369-3001
> >>> Cell: (734) 834-2638
> >>> http://www.datasmithconsulting.net
> >>> Filemaker Solutions Alliance Associate Member
> >>>
> >>>
> >>> _______________________________________________
> >>> FX.php_List mailing list
> >>> FX.php_List at mail.iviking.org
> >>> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>>
> >> _______________________________________________
> >> FX.php_List mailing list
> >> FX.php_List at mail.iviking.org
> >> http://www.iviking.org/mailman/listinfo/fx.php_list
> >>
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
>


More information about the FX.php_List mailing list