[FX.php List] Stupid Find Question

Chris Hansen chris at iViking.org
Thu Jan 13 11:12:52 MST 2005 

Michael,

Here you go (either of these would work):

query->AddDBParam('email', '"' . $_GET['user'] . '"');

query->AddDBParam('email', "\"{$_GET['user']}\""); // alternate example

Remember that things work the same in FX.php that they would in  
FileMaker.  So, the quotes need to be there, but you need to send them  
in such a way that they get to FileMaker.  The second example above  
demonstrates how you'd need to set things up if everything was within  
the double quotes.  The curly braces help PHP to delineate a variable  
when present INSIDE double quotes, or a heredoc text block.  The curly  
braces ARE NOT NECESSARY, but can make your code more legible.

Finally, I'd probably not send a user name and password with a GET  
query, since the username and password appear in the URL (why use a  
password field that protects the password from prying eyes, when the  
password will show up in the URL on the next page...)

HTH

--Chris Hansen
   creator of FX.php
   "The best way from FileMaker to the Web."
   www.iViking.org

On Jan 13, 2005, at 9:49 AM, Michael Layne wrote:

> Sorry to beat the proverbial horse, but in all this, is there an  
> example/solution for a user to use his email address as his login (and  
> a password for his password...)?
>
> user - name at domain.com
>
> password - password
>
> then...
>
> query->AddDBParam('email',$_GET['user']) // doesn't work
>
> query->AddDBParam('email',"$_GET['user']") // doesn't work.
>
> my workaround is stripping the '@' and doing the same in FMP.
>
> Thanks!
>
>
>
>
>
> On Jan 13, 2005, at 11:40 AM, DC wrote:
>
>> Hi Vinnie,
>>
>> Thanks for the helpful reminder about security. The general lesson is:
>> all input values should be validated before being passed on to FMP.
>>
>> Here's *one way* to restrict input data to only 1-16 alphabetical and
>> numerical characters:
>>
>> $allowed_string = '/^[a-zA-Z0-9]{1,16}$/';
>> $test_pass=preg_match($allowed_string,$my_password);
>> if ($test_pass) {//do something here}
>>
>> Sorry just a code snippet, but you should be able to get the idea.  
>> Feel
>> free to expand the character class of your acceptable strings, but  
>> watch
>> out for those FMP wildcard characters like * (star), @ (at), ...
>> (ellipsis), and ! (bang).
>>
>> Cheers,
>> dan
>>
>> Vinnie P. Taranto had written:
>>> I was just working on my fx.php and filemaker 6 unlimited solution  
>>> and found something interesting with using 'eq' or "=" or "==" in  
>>> FMFinds on critical text fields like usernames and passwords. I've  
>>> found appending "==" or appending "=" in conjunction with 'eq'  
>>> allows wildcard searches which is very dangerous on user level  
>>> controlled sites. It reminds me of an SQL injection vulnerability a  
>>> while back.
>>>  Does anybody have any other do's or don'ts on username/passwords  
>>> fields/finds. I think it was Chris Hansen who suggested turning on  
>>> indexing and setting it to ASCII for password fields to be able to  
>>> use special characters I think (thanks Chris). I just figured better  
>>> to ask here than find out someone's entered t* as the password and  
>>> logged in to a mission critical app. Thanks.
>>> ________________________________
>>> From: fx.php_list-bounces at mail.iviking.org on behalf of DC
>>> Sent: Mon 12/20/2004 1:43 PM
>>> To: FX.php Discussion List
>>> Subject: Re: [FX.php List] Stupid Find Question
>>> The way I understand it (and what I have seen on the web database by
>>> doing a Find Again and looking at what is sitting in the field) the  
>>> 'eq'
>>> parameter wraps the data sent to the find request like so:
>>> data sent to FX:
>>> $request->AddDBParam ('num_serial', '100', 'eq');
>>> resulting string sent to filemaker field find request:
>>> ="100"
>>> When you do a search with the equals sign, you don't get 1000 or  
>>> 10000,
>>> you just get 100.
>>> Correct me if your tests show anything different.
>>> Not sure if you know this, but a neat trick to get the even stricter  
>>> ==
>>>   find request to work is to prepend the equals sign to the search  
>>> term
>>> and use the 'eq' param.
>>> $strict_eq_search = '=' . '100';
>>> $request->AddDBParam ('num_serial', $strict_eq_search, 'eq');
>>> This allows you to do what filemaker calls 'Field content match' as
>>> opposed to the 'eq' param which only does a (so-called) 'Exact  
>>> match'.
>>> I'm using an older FX version, has field content match been added as  
>>> a
>>> paramter option to a new version?
>>> Best,
>>> dan
>>> Milos Vukotic wrote:
>>>> I would guess that you'll get for $num_ser = 1
>>>> all this records:
>>>> 1,11,12,13..,101,...,1000,...,10000,...
>>>>
>>>> Cheers,
>>>> Milos Vukotic
>>>>
>>>> DC wrote:
>>>>
>>>>
>>>>> I've gotten this code to work without a problem:
>>>>> foreach ($FK_array as $num_ser)
>>>>> {
>>>>>    $request->AddDBParam ('num_serial', $num_ser, 'eq');
>>>>> }
>>>>>
>>>>> // tell FMP/FX to do an OR search
>>>>> $request-> AddDBParam ('-lop', 'or');
>>>>> // call the find action
>>>>> $result_array = $request-> FMFind();
>>>>>
>>>>> Another thing to check is make sure that you're talking to the  
>>>>> right
>>>>> layout (one that has the fields you wish to search on). I see 401
>>>>> errors all the time when I make a typo in the layout name.
>>>>>
>>>>> DC
>>>>>
>>>>> Marisa Smith wrote:
>>>>>
>>>>>
>>>>>> OK, I KNOW I should know how to do this, but I can't figure it out
>>>>>>
>>>>>> I need to find all records whose unitid=15  OR  whose
>>>>>> unitid=20
>>>>>>
>>>>>> In Filemaker client, I can do this with a 'new request', but I  
>>>>>> don't
>>>>>> know
>>>>>> the equivalent in XML.  I tried this:
>>>>>>
>>>>>>    $AAHRPPDocQuery->AddDBParam("unitid","15");
>>>>>>    $AAHRPPDocQuery->AddDBParam("-lop","or");
>>>>>>    $AAHRPPDocQuery->AddDBParam("unitid","20");
>>>>>>
>>>>>> But I end up with an error 401.
>>>>>>
>>>>>> What am I missing here?  Or am I trying to do the impossible?
>>>>>>
>>>>>> Thanks!
>>>>>> Marisa
>>>>>> ------------------------------------------------------------------ 
>>>>>> ---
>>>>>> Marisa Smith, President
>>>>>> DataSmith Consulting, LLC
>>>>>> 667 Kuehnle Street
>>>>>> Ann Arbor, MI 48103
>>>>>> Phone & Fax: (734) 369-3001
>>>>>> Cell: (734) 834-2638
>>>>>> http://www.datasmithconsulting.net
>>>>>> Filemaker Solutions Alliance Associate Member
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> FX.php_List mailing list
>>>>>> FX.php_List at mail.iviking.org
>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>> --------------------------------------------------------------------- 
>>> ---
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
> Michael Layne  :  9 degrees development  :  www.9degrees.com  :   
> 404.226.7835
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list