[FX.php List] * and login
Alex Gates
alex at gandrpublishing.com
Tue Oct 31 07:07:40 MST 2006
ggt-
The foundcount is 3 - and that's the total number user/pass combos I
have.
So, it finds them all.
Andy's trick worked - - Tom's method does, too.
Are they both equally secure?
Alex P. Gates
-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund
Gusland Thorsen
Sent: Tuesday, October 31, 2006 7:35 AM
To: FX.php Discussion List
Subject: Re: [FX.php List] * and login
what is then the value of foundCount?
ggt667
On 10/31/06, Alex Gates <alex at gandrpublishing.com> wrote:
> Hi everyone-
>
> I've realized that my login can easily be compromised! Thankfully I
> figured this out early in the development process.
>
> If I enter * for username and * for password, it logs me in as the
> latest registered user.
>
> This is my search syntax:
>
> $lookup=new FX($serverIP,$webCompanionPort,'FMPro7');
> $lookup->SetDBData('Web_Cookbook_Dev.fp7','WebLogin');
> $lookup->SetDBPassword('xxxxxx','xxxxxxxx');
> $lookup->AddDBParam('Username', $username, 'eq');
> $lookup->AddDBParam('Password', $password, 'eq');
> $lookupResult=$lookup->FMFind();
> $foundResult=$lookupResult['foundCount'];
>
>
> I'm sorry if this has been covered - I searched the archives but I
> didn't find anything.
>
> Is there a way I can modify this search syntax so * can't be used for
> username and password to log in?
>
> Wow - I never realized this was a possibility... I just randomly tried
> it this morning and was shocked at the result...
>
> Thanks in advance!
>
> Alex
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list