[FX.php List] Stupid Find Question

DC dan.cynosure at dbmscan.com
Thu Jan 13 09:40:18 MST 2005 

Hi Vinnie,

Thanks for the helpful reminder about security. The general lesson is:
all input values should be validated before being passed on to FMP.

Here's *one way* to restrict input data to only 1-16 alphabetical and
numerical characters:

$allowed_string = '/^[a-zA-Z0-9]{1,16}$/';
$test_pass=preg_match($allowed_string,$my_password);
if ($test_pass) {//do something here}

Sorry just a code snippet, but you should be able to get the idea. Feel
free to expand the character class of your acceptable strings, but watch
out for those FMP wildcard characters like * (star), @ (at), ...
(ellipsis), and ! (bang).

Cheers,
dan

Vinnie P. Taranto had written:
> I was just working on my fx.php and filemaker 6 unlimited solution and found something interesting with using 'eq' or "=" or "==" in FMFinds on critical text fields like usernames and passwords. I've found appending "==" or appending "=" in conjunction with 'eq' allows wildcard searches which is very dangerous on user level controlled sites. It reminds me of an SQL injection vulnerability a while back.
>  
> Does anybody have any other do's or don'ts on username/passwords fields/finds. I think it was Chris Hansen who suggested turning on indexing and setting it to ASCII for password fields to be able to use special characters I think (thanks Chris). I just figured better to ask here than find out someone's entered t* as the password and logged in to a mission critical app. Thanks.
> 
> ________________________________
> 
> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
> Sent: Mon 12/20/2004 1:43 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] Stupid Find Question
> 
> 
> 
> The way I understand it (and what I have seen on the web database by
> doing a Find Again and looking at what is sitting in the field) the 'eq'
> parameter wraps the data sent to the find request like so:
> 
> data sent to FX:
> $request->AddDBParam ('num_serial', '100', 'eq');
> 
> resulting string sent to filemaker field find request:
> ="100"
> 
> When you do a search with the equals sign, you don't get 1000 or 10000,
> you just get 100.
> 
> Correct me if your tests show anything different.
> 
> Not sure if you know this, but a neat trick to get the even stricter ==
>   find request to work is to prepend the equals sign to the search term
> and use the 'eq' param.
> 
> $strict_eq_search = '=' . '100';
> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
> 
> This allows you to do what filemaker calls 'Field content match' as
> opposed to the 'eq' param which only does a (so-called) 'Exact match'.
> 
> I'm using an older FX version, has field content match been added as a
> paramter option to a new version?
> 
> Best,
> dan
> 
> Milos Vukotic wrote:
> 
>>I would guess that you'll get for $num_ser = 1
>>all this records:
>>1,11,12,13..,101,...,1000,...,10000,...
>>
>>Cheers,
>>Milos Vukotic
>>
>>DC wrote:
>>
>>
>>>I've gotten this code to work without a problem:
>>>foreach ($FK_array as $num_ser)
>>>{
>>>    $request->AddDBParam ('num_serial', $num_ser, 'eq');
>>>}
>>>
>>>// tell FMP/FX to do an OR search
>>>$request-> AddDBParam ('-lop', 'or');
>>>// call the find action
>>>$result_array = $request-> FMFind();
>>>
>>>Another thing to check is make sure that you're talking to the right
>>>layout (one that has the fields you wish to search on). I see 401
>>>errors all the time when I make a typo in the layout name.
>>>
>>>DC
>>>
>>>Marisa Smith wrote:
>>>
>>>
>>>>OK, I KNOW I should know how to do this, but I can't figure it out
>>>>
>>>>I need to find all records whose unitid=15  OR  whose
>>>>unitid=20
>>>>
>>>>In Filemaker client, I can do this with a 'new request', but I don't
>>>>know
>>>>the equivalent in XML.  I tried this:
>>>>
>>>>    $AAHRPPDocQuery->AddDBParam("unitid","15");
>>>>    $AAHRPPDocQuery->AddDBParam("-lop","or");
>>>>    $AAHRPPDocQuery->AddDBParam("unitid","20");
>>>>
>>>>But I end up with an error 401.
>>>>
>>>>What am I missing here?  Or am I trying to do the impossible?
>>>>
>>>>Thanks!
>>>>Marisa
>>>>---------------------------------------------------------------------
>>>>Marisa Smith, President
>>>>DataSmith Consulting, LLC
>>>>667 Kuehnle Street
>>>>Ann Arbor, MI 48103
>>>>Phone & Fax: (734) 369-3001
>>>>Cell: (734) 834-2638
>>>>http://www.datasmithconsulting.net
>>>>Filemaker Solutions Alliance Associate Member
>>>>
>>>>
>>>>_______________________________________________
>>>>FX.php_List mailing list
>>>>FX.php_List at mail.iviking.org
>>>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>
>>>
>>>_______________________________________________
>>>FX.php_List mailing list
>>>FX.php_List at mail.iviking.org
>>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>
>>
>>_______________________________________________
>>FX.php_List mailing list
>>FX.php_List at mail.iviking.org
>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list