[FX.php List] Stupid Find Question

Chris Hansen chris at iViking.org
Wed Jan 12 14:02:22 MST 2005


Vinnie,

I think this has been covered, but the best way to handle logins is by 
adding quotes around the string.  That said, with the quotes present, 
wild cards wouldn't be an issue since they'd be within the quotation 
marks.  HTH

--Chris Hansen
   creator of FX.php
   "The best way from FileMaker to the Web."
   www.iViking.org

On Jan 12, 2005, at 1:43 PM, Vinnie P. Taranto wrote:

> I was thinking more about username and password authentications and
> realized if a authentication search was set up using 'eq' and there is
> no character check on the input a user could enter '=*' and could then
> probably be logged in. Is there a good way to check for a '=' or any
> other dangerous characters (if you checked for just a '=' sign should
> you check for the & ascii code for the '=' character as well). Thanks,
>
> Vinnie
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund
> Gusland Thorsen
> Sent: Sunday, January 09, 2005 5:31 AM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Stupid Find Question
>
> It's perhaps smart to only store the sha1() string of the username and
> password, instead of username and password itself?
>
> Gjermund
>
>
> On Fri, 7 Jan 2005 16:51:15 -0500, Vinnie P. Taranto
> <vinniept at dso.ufl.edu> wrote:
>> I was just working on my fx.php and filemaker 6 unlimited solution and
> found something interesting with using 'eq' or "=" or "==" in FMFinds 
> on
> critical text fields like usernames and passwords. I've found appending
> "==" or appending "=" in conjunction with 'eq' allows wildcard searches
> which is very dangerous on user level controlled sites. It reminds me 
> of
> an SQL injection vulnerability a while back.
>>
>> Does anybody have any other do's or don'ts on username/passwords
> fields/finds. I think it was Chris Hansen who suggested turning on
> indexing and setting it to ASCII for password fields to be able to use
> special characters I think (thanks Chris). I just figured better to ask
> here than find out someone's entered t* as the password and logged in 
> to
> a mission critical app. Thanks.
>>
>> ________________________________
>>
>> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
>> Sent: Mon 12/20/2004 1:43 PM
>> To: FX.php Discussion List
>> Subject: Re: [FX.php List] Stupid Find Question
>>
>> The way I understand it (and what I have seen on the web database by
>> doing a Find Again and looking at what is sitting in the field) the
> 'eq'
>> parameter wraps the data sent to the find request like so:
>>
>> data sent to FX:
>> $request->AddDBParam ('num_serial', '100', 'eq');
>>
>> resulting string sent to filemaker field find request:
>> ="100"
>>
>> When you do a search with the equals sign, you don't get 1000 or
> 10000,
>> you just get 100.
>>
>> Correct me if your tests show anything different.
>>
>> Not sure if you know this, but a neat trick to get the even stricter
> ==
>>   find request to work is to prepend the equals sign to the search
> term
>> and use the 'eq' param.
>>
>> $strict_eq_search = '=' . '100';
>> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
>>
>> This allows you to do what filemaker calls 'Field content match' as
>> opposed to the 'eq' param which only does a (so-called) 'Exact match'.
>>
>> I'm using an older FX version, has field content match been added as a
>> paramter option to a new version?
>>
>> Best,
>> dan
>>
>> Milos Vukotic wrote:
>>> I would guess that you'll get for $num_ser = 1
>>> all this records:
>>> 1,11,12,13..,101,...,1000,...,10000,...
>>>
>>> Cheers,
>>> Milos Vukotic
>>>
>>> DC wrote:
>>>
>>>> I've gotten this code to work without a problem:
>>>> foreach ($FK_array as $num_ser)
>>>> {
>>>>     $request->AddDBParam ('num_serial', $num_ser, 'eq');
>>>> }
>>>>
>>>> // tell FMP/FX to do an OR search
>>>> $request-> AddDBParam ('-lop', 'or');
>>>> // call the find action
>>>> $result_array = $request-> FMFind();
>>>>
>>>> Another thing to check is make sure that you're talking to the
> right
>>>> layout (one that has the fields you wish to search on). I see 401
>>>> errors all the time when I make a typo in the layout name.
>>>>
>>>> DC
>>>>
>>>> Marisa Smith wrote:
>>>>
>>>>> OK, I KNOW I should know how to do this, but I can't figure it out
>>>>>
>>>>> I need to find all records whose unitid=15  OR  whose
>>>>> unitid=20
>>>>>
>>>>> In Filemaker client, I can do this with a 'new request', but I
> don't
>>>>> know
>>>>> the equivalent in XML.  I tried this:
>>>>>
>>>>>     $AAHRPPDocQuery->AddDBParam("unitid","15");
>>>>>     $AAHRPPDocQuery->AddDBParam("-lop","or");
>>>>>     $AAHRPPDocQuery->AddDBParam("unitid","20");
>>>>>
>>>>> But I end up with an error 401.
>>>>>
>>>>> What am I missing here?  Or am I trying to do the impossible?
>>>>>
>>>>> Thanks!
>>>>> Marisa
>>>>>
> ---------------------------------------------------------------------
>>>>> Marisa Smith, President
>>>>> DataSmith Consulting, LLC
>>>>> 667 Kuehnle Street
>>>>> Ann Arbor, MI 48103
>>>>> Phone & Fax: (734) 369-3001
>>>>> Cell: (734) 834-2638
>>>>> http://www.datasmithconsulting.net
>>>>> Filemaker Solutions Alliance Associate Member
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>
>>>
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>



More information about the FX.php_List mailing list