[FX.php List] character encoding issue?

Dale Bengston dbengston at preservationstudio.com
Tue Feb 21 08:28:32 MST 2006 

Hi Michael,

I hit on something similar. Whenever a user's profile is modified, I  
use str_replace to add a modified, searchable version of their email  
to another field via FX:
	$username = str_replace('@','|',$_POST['email'])

So, when a user profile record is modified, the email field in FMP  
contains a valid email: 'dbengston at domain.com', and the search-in  
field has: 'dbengston|domain.com'.

(I could use a calc field and Substitute to have a dynamic version of  
this, but that will slow down searches if the number of users gets  
big. So I decided to stuff the searchable email into a static,  
indexable text field.)

Then I use str_replace again to replace the '@' character in the user- 
entered email
	str_replace('@','|',$_POST['user'])

...before I pass it to FMP in the FX login query.

-Dale

On Feb 18, 2006, at 1:49 PM, Michael Layne wrote:

> Hi all,
>
> I've been using this for quite a while with solid results...
>
> PHP:
> $user = str_replace("@","",$_POST['user']);
> $userpass = $user . "." .  $_POST['pass']; // the 'period' can be  
> whatever, or nothing, just concatenate the two values on both PHP  
> and FM sides
>
>     $q = new FX($ip, $port);
>     $q->SetDBData($fmdb,'users');
>     $q->SetDBPassword($fmpw[0],$fmpw[1]);
>     $q->AddDBParam('email_password','==' . $userpass);
>     $r = $q->FMFind();
>
> FileMaker:
> field = email_password(calc):
> Substitute ( email ; "@" ; "" )& "." & password
>
> HTH,
>
> Michael
>
>
> DC wrote:
>> andy,
>>
>> be super careful passing superglobals directly into FMP.
>> the code you posted below might be exploited by sending this:
>>
>> http://site.com/login.php?username=*
>>
>> try it and let us know what you find. the "eq" parameter might  
>> give you some protection against this asterisk, but i think even  
>> that could be thwarted by some clever request.
>>
>> best rule is... don't pass user input directly to anything until  
>> it has been sanitized.
>>
>> dan
>>
>> On Feb 16, 2006, at 6:55 PM, Andy Gaunt wrote:
>>
>>> $query->AddDBParam( 'email',
>>> str_replace('@','\@',$_REQUEST['username']),"eq" );
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20060221/af1f0c3e/attachment.html

More information about the FX.php_List mailing list