[FX.php List] * and login

Jose Sevoya jsevoya at gmail.com
Tue Oct 31 08:28:13 MST 2006 

Hi Alex,

When I read your message I immediately thought of FMStudio by
FMWebschool. One of their tutorial videos
(http://www.fmwebschool.com/movies/fmstudio/login/login.html) shows
how to build a login solution. The interesting part is that their
product has a "disable wildcards" feature when specifying data
received from the user.

I have just tried it with my copy of FMStudio, and what do you know -
the * trick it did not work, it has been such a time saver so far!

As for other fields that can be used as wild card matches, there is
the "@" character to replace sections of words as well as other
special characters. The most secure way is actually to escape the
special characters by adding a "\" before them, that would make the *
for example a literal '*' character.

Best,
Jose

On 10/31/06, Alex Gates <alex at gandrpublishing.com> wrote:
> ggt-
>
> The foundcount is 3 - and that's the total number user/pass combos I
> have.
> So, it finds them all.
>
> Andy's trick worked - -  Tom's method does, too.
> Are they both equally secure?
>
>
>
> Alex P. Gates
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund
> Gusland Thorsen
> Sent: Tuesday, October 31, 2006 7:35 AM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] * and login
>
> what is then the value of foundCount?
>
> ggt667
>
> On 10/31/06, Alex Gates <alex at gandrpublishing.com> wrote:
> > Hi everyone-
> >
> > I've realized that my login can easily be compromised!  Thankfully I
> > figured this out early in the development process.
> >
> > If I enter * for username and * for password, it logs me in as the
> > latest registered user.
> >
> > This is my search syntax:
> >
> >         $lookup=new FX($serverIP,$webCompanionPort,'FMPro7');
> >         $lookup->SetDBData('Web_Cookbook_Dev.fp7','WebLogin');
> >         $lookup->SetDBPassword('xxxxxx','xxxxxxxx');
> >         $lookup->AddDBParam('Username', $username, 'eq');
> >         $lookup->AddDBParam('Password', $password, 'eq');
> >         $lookupResult=$lookup->FMFind();
> >         $foundResult=$lookupResult['foundCount'];
> >
> >
> > I'm sorry if this has been covered - I searched the archives but I
> > didn't find anything.
> >
> > Is there a way I can modify this search syntax so * can't be used for
> > username and password to log in?
> >
> > Wow - I never realized this was a possibility... I just randomly tried
> > it this morning and was shocked at the result...
> >
> > Thanks in advance!
> >
> > Alex
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>

More information about the FX.php_List mailing list