[FX.php List] * and login

Alex Gates alex at gandrpublishing.com
Tue Oct 31 08:53:39 MST 2006


Jose-

Thanks for your reply... the interesting thing is that I had the idea to
try out * after watching the FMStudio videos... and I did see their
disable wildcard option - - I'd be curious to see how the "disable
wildcard" code looks...

What are your thoughts on FMStudio?  Do you feel that if you have a
pretty good understanding of performing queries and working with arrays
in php that the FMStudio may not be so helpful?  Or, even if you've
become quite familiar with queries and arrays, is FMStudio still worth
it?

Alex P. Gates

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Jose Sevoya
Sent: Tuesday, October 31, 2006 9:28 AM
To: FX.php Discussion List
Subject: Re: [FX.php List] * and login

Hi Alex,

When I read your message I immediately thought of FMStudio by
FMWebschool. One of their tutorial videos
(http://www.fmwebschool.com/movies/fmstudio/login/login.html) shows
how to build a login solution. The interesting part is that their
product has a "disable wildcards" feature when specifying data
received from the user.

I have just tried it with my copy of FMStudio, and what do you know -
the * trick it did not work, it has been such a time saver so far!

As for other fields that can be used as wild card matches, there is
the "@" character to replace sections of words as well as other
special characters. The most secure way is actually to escape the
special characters by adding a "\" before them, that would make the *
for example a literal '*' character.

Best,
Jose

On 10/31/06, Alex Gates <alex at gandrpublishing.com> wrote:
> ggt-
>
> The foundcount is 3 - and that's the total number user/pass combos I
> have.
> So, it finds them all.
>
> Andy's trick worked - -  Tom's method does, too.
> Are they both equally secure?
>
>
>
> Alex P. Gates
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gjermund
> Gusland Thorsen
> Sent: Tuesday, October 31, 2006 7:35 AM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] * and login
>
> what is then the value of foundCount?
>
> ggt667
>
> On 10/31/06, Alex Gates <alex at gandrpublishing.com> wrote:
> > Hi everyone-
> >
> > I've realized that my login can easily be compromised!  Thankfully I
> > figured this out early in the development process.
> >
> > If I enter * for username and * for password, it logs me in as the
> > latest registered user.
> >
> > This is my search syntax:
> >
> >         $lookup=new FX($serverIP,$webCompanionPort,'FMPro7');
> >         $lookup->SetDBData('Web_Cookbook_Dev.fp7','WebLogin');
> >         $lookup->SetDBPassword('xxxxxx','xxxxxxxx');
> >         $lookup->AddDBParam('Username', $username, 'eq');
> >         $lookup->AddDBParam('Password', $password, 'eq');
> >         $lookupResult=$lookup->FMFind();
> >         $foundResult=$lookupResult['foundCount'];
> >
> >
> > I'm sorry if this has been covered - I searched the archives but I
> > didn't find anything.
> >
> > Is there a way I can modify this search syntax so * can't be used
for
> > username and password to log in?
> >
> > Wow - I never realized this was a possibility... I just randomly
tried
> > it this morning and was shocked at the result...
> >
> > Thanks in advance!
> >
> > Alex
> >
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list






More information about the FX.php_List mailing list