[FX.php List] * and login
Tom Sepper
tsepper at dctandt.com
Tue Oct 31 06:34:16 MST 2006
I just tried that in my solution and it didn't work for me.
If it's working for you, I suggest a simple post verify. Something like:
If ($_POST['username']=="*" || $_POST['password']=="*") {
//stop login process and display login <form> again
}
Else {
//Process login as you do now
}
---
Tom Sepper
Director of Information Technology
Director's Choice Tour & Travel
P 806.762.6354
F 806.763.7637
tsepper at dctandt.com
www.directorschoicetourandtravel.com
-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Alex Gates
Sent: Tuesday, October 31, 2006 7:26 AM
To: 'FX.php Discussion List'
Subject: [FX.php List] * and login
Hi everyone-
I've realized that my login can easily be compromised! Thankfully I
figured this out early in the development process.
If I enter * for username and * for password, it logs me in as the
latest registered user.
This is my search syntax:
$lookup=new FX($serverIP,$webCompanionPort,'FMPro7');
$lookup->SetDBData('Web_Cookbook_Dev.fp7','WebLogin');
$lookup->SetDBPassword('xxxxxx','xxxxxxxx');
$lookup->AddDBParam('Username', $username, 'eq');
$lookup->AddDBParam('Password', $password, 'eq');
$lookupResult=$lookup->FMFind();
$foundResult=$lookupResult['foundCount'];
I'm sorry if this has been covered - I searched the archives but I
didn't find anything.
Is there a way I can modify this search syntax so * can't be used for
username and password to log in?
Wow - I never realized this was a possibility... I just randomly tried
it this morning and was shocked at the result...
Thanks in advance!
Alex
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list