[FX.php List] character encoding issue?
Dale Bengston
dbengston at preservationstudio.com
Tue Feb 21 08:28:32 MST 2006
Hi Michael,
I hit on something similar. Whenever a user's profile is modified, I
use str_replace to add a modified, searchable version of their email
to another field via FX:
$username = str_replace('@','|',$_POST['email'])
So, when a user profile record is modified, the email field in FMP
contains a valid email: 'dbengston at domain.com', and the search-in
field has: 'dbengston|domain.com'.
(I could use a calc field and Substitute to have a dynamic version of
this, but that will slow down searches if the number of users gets
big. So I decided to stuff the searchable email into a static,
indexable text field.)
Then I use str_replace again to replace the '@' character in the user-
entered email
str_replace('@','|',$_POST['user'])
...before I pass it to FMP in the FX login query.
-Dale
On Feb 18, 2006, at 1:49 PM, Michael Layne wrote:
> Hi all,
>
> I've been using this for quite a while with solid results...
>
> PHP:
> $user = str_replace("@","",$_POST['user']);
> $userpass = $user . "." . $_POST['pass']; // the 'period' can be
> whatever, or nothing, just concatenate the two values on both PHP
> and FM sides
>
> $q = new FX($ip, $port);
> $q->SetDBData($fmdb,'users');
> $q->SetDBPassword($fmpw[0],$fmpw[1]);
> $q->AddDBParam('email_password','==' . $userpass);
> $r = $q->FMFind();
>
> FileMaker:
> field = email_password(calc):
> Substitute ( email ; "@" ; "" )& "." & password
>
> HTH,
>
> Michael
>
>
> DC wrote:
>> andy,
>>
>> be super careful passing superglobals directly into FMP.
>> the code you posted below might be exploited by sending this:
>>
>> http://site.com/login.php?username=*
>>
>> try it and let us know what you find. the "eq" parameter might
>> give you some protection against this asterisk, but i think even
>> that could be thwarted by some clever request.
>>
>> best rule is... don't pass user input directly to anything until
>> it has been sanitized.
>>
>> dan
>>
>> On Feb 16, 2006, at 6:55 PM, Andy Gaunt wrote:
>>
>>> $query->AddDBParam( 'email',
>>> str_replace('@','\@',$_REQUEST['username']),"eq" );
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20060221/af1f0c3e/attachment.html
More information about the FX.php_List
mailing list