[FX.php List] * and login

Alex Gates alex at gandrpublishing.com
Tue Oct 31 06:51:00 MST 2006


Andy,

This works great - thank you!  
Is there anything else that I may be neglecting with this type of search
syntax?  Is this relatively secure?

Thanks again for your help... I'm glad I found this when I did...


Alex P. Gates

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Andy Gaunt
Sent: Tuesday, October 31, 2006 7:40 AM
To: 'FX.php Discussion List'
Subject: RE: [FX.php List] * and login

Alex,

Have you tried wrapping your search criteria in double quotes. In
FileMaker
this would cause it to find the literal text.


In the example below the double quote is surrounded by a pair of single
quotes and the $variable is appended with a period (.)

	$lookup=new FX($serverIP,$webCompanionPort,'FMPro7');
	$lookup->SetDBData('Web_Cookbook_Dev.fp7','WebLogin');
	$lookup->SetDBPassword('xxxxxx','xxxxxxxx');
	$lookup->AddDBParam('Username','"'.$username.'"', 'eq');
	$lookup->AddDBParam('Password','"'.$password.'"', 'eq');
	$lookupResult=$lookup->FMFind(); 
	$foundResult=$lookupResult['foundCount'];


HTH

Andy Gaunt
Office: 321.206.3658
Mobile: 407.810.4722
andy at fmpug.com
http://www.fmpug.com    

2006 FileMaker Excellence Award Winner
Recipient of FileMaker's 2005 "Mad Dog" Public Relations Award

For chapter locations, dates & times please visit the website at
http://www.fmpug.com If you can make it to a meeting, please RSVP at
http://www.fmpug.com/rsvp.php

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Alex Gates
Sent: Tuesday, October 31, 2006 8:26 AM
To: 'FX.php Discussion List'
Subject: [FX.php List] * and login

Hi everyone-

I've realized that my login can easily be compromised!  Thankfully I
figured this out early in the development process.

If I enter * for username and * for password, it logs me in as the
latest registered user.

This is my search syntax:

	$lookup=new FX($serverIP,$webCompanionPort,'FMPro7');
	$lookup->SetDBData('Web_Cookbook_Dev.fp7','WebLogin');
	$lookup->SetDBPassword('xxxxxx','xxxxxxxx');
	$lookup->AddDBParam('Username', $username, 'eq');
	$lookup->AddDBParam('Password', $password, 'eq');
	$lookupResult=$lookup->FMFind(); 
	$foundResult=$lookupResult['foundCount'];


I'm sorry if this has been covered - I searched the archives but I
didn't find anything.

Is there a way I can modify this search syntax so * can't be used for
username and password to log in?

Wow - I never realized this was a possibility... I just randomly tried
it this morning and was shocked at the result...

Thanks in advance!

Alex


_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list


_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list






More information about the FX.php_List mailing list