[FX.php List] Stupid Find Question
Michael Layne
fx at 9degrees.com
Thu Jan 13 09:49:57 MST 2005
Sorry to beat the proverbial horse, but in all this, is there an
example/solution for a user to use his email address as his login (and
a password for his password...)?
user - name at domain.com
password - password
then...
query->AddDBParam('email',$_GET['user']) // doesn't work
query->AddDBParam('email',"$_GET['user']") // doesn't work.
my workaround is stripping the '@' and doing the same in FMP.
Thanks!
On Jan 13, 2005, at 11:40 AM, DC wrote:
> Hi Vinnie,
>
> Thanks for the helpful reminder about security. The general lesson is:
> all input values should be validated before being passed on to FMP.
>
> Here's *one way* to restrict input data to only 1-16 alphabetical and
> numerical characters:
>
> $allowed_string = '/^[a-zA-Z0-9]{1,16}$/';
> $test_pass=preg_match($allowed_string,$my_password);
> if ($test_pass) {//do something here}
>
> Sorry just a code snippet, but you should be able to get the idea. Feel
> free to expand the character class of your acceptable strings, but
> watch
> out for those FMP wildcard characters like * (star), @ (at), ...
> (ellipsis), and ! (bang).
>
> Cheers,
> dan
>
> Vinnie P. Taranto had written:
>> I was just working on my fx.php and filemaker 6 unlimited solution
>> and found something interesting with using 'eq' or "=" or "==" in
>> FMFinds on critical text fields like usernames and passwords. I've
>> found appending "==" or appending "=" in conjunction with 'eq' allows
>> wildcard searches which is very dangerous on user level controlled
>> sites. It reminds me of an SQL injection vulnerability a while back.
>> Does anybody have any other do's or don'ts on username/passwords
>> fields/finds. I think it was Chris Hansen who suggested turning on
>> indexing and setting it to ASCII for password fields to be able to
>> use special characters I think (thanks Chris). I just figured better
>> to ask here than find out someone's entered t* as the password and
>> logged in to a mission critical app. Thanks.
>> ________________________________
>> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
>> Sent: Mon 12/20/2004 1:43 PM
>> To: FX.php Discussion List
>> Subject: Re: [FX.php List] Stupid Find Question
>> The way I understand it (and what I have seen on the web database by
>> doing a Find Again and looking at what is sitting in the field) the
>> 'eq'
>> parameter wraps the data sent to the find request like so:
>> data sent to FX:
>> $request->AddDBParam ('num_serial', '100', 'eq');
>> resulting string sent to filemaker field find request:
>> ="100"
>> When you do a search with the equals sign, you don't get 1000 or
>> 10000,
>> you just get 100.
>> Correct me if your tests show anything different.
>> Not sure if you know this, but a neat trick to get the even stricter
>> ==
>> find request to work is to prepend the equals sign to the search
>> term
>> and use the 'eq' param.
>> $strict_eq_search = '=' . '100';
>> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
>> This allows you to do what filemaker calls 'Field content match' as
>> opposed to the 'eq' param which only does a (so-called) 'Exact match'.
>> I'm using an older FX version, has field content match been added as a
>> paramter option to a new version?
>> Best,
>> dan
>> Milos Vukotic wrote:
>>> I would guess that you'll get for $num_ser = 1
>>> all this records:
>>> 1,11,12,13..,101,...,1000,...,10000,...
>>>
>>> Cheers,
>>> Milos Vukotic
>>>
>>> DC wrote:
>>>
>>>
>>>> I've gotten this code to work without a problem:
>>>> foreach ($FK_array as $num_ser)
>>>> {
>>>> $request->AddDBParam ('num_serial', $num_ser, 'eq');
>>>> }
>>>>
>>>> // tell FMP/FX to do an OR search
>>>> $request-> AddDBParam ('-lop', 'or');
>>>> // call the find action
>>>> $result_array = $request-> FMFind();
>>>>
>>>> Another thing to check is make sure that you're talking to the right
>>>> layout (one that has the fields you wish to search on). I see 401
>>>> errors all the time when I make a typo in the layout name.
>>>>
>>>> DC
>>>>
>>>> Marisa Smith wrote:
>>>>
>>>>
>>>>> OK, I KNOW I should know how to do this, but I can't figure it out
>>>>>
>>>>> I need to find all records whose unitid=15 OR whose
>>>>> unitid=20
>>>>>
>>>>> In Filemaker client, I can do this with a 'new request', but I
>>>>> don't
>>>>> know
>>>>> the equivalent in XML. I tried this:
>>>>>
>>>>> $AAHRPPDocQuery->AddDBParam("unitid","15");
>>>>> $AAHRPPDocQuery->AddDBParam("-lop","or");
>>>>> $AAHRPPDocQuery->AddDBParam("unitid","20");
>>>>>
>>>>> But I end up with an error 401.
>>>>>
>>>>> What am I missing here? Or am I trying to do the impossible?
>>>>>
>>>>> Thanks!
>>>>> Marisa
>>>>> -------------------------------------------------------------------
>>>>> --
>>>>> Marisa Smith, President
>>>>> DataSmith Consulting, LLC
>>>>> 667 Kuehnle Street
>>>>> Ann Arbor, MI 48103
>>>>> Phone & Fax: (734) 369-3001
>>>>> Cell: (734) 834-2638
>>>>> http://www.datasmithconsulting.net
>>>>> Filemaker Solutions Alliance Associate Member
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>
>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>
>>>
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>> ----------------------------------------------------------------------
>> --
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
Michael Layne : 9 degrees development : www.9degrees.com :
404.226.7835
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 5918 bytes
Desc: not available
Url : http://www.iviking.org/pipermail/fx.php_list/attachments/20050113/6ca422c1/attachment-0001.bin
More information about the FX.php_List
mailing list