[FX.php List] [OFF] Filemaker Web Security?
Troy Meyers
tcmeyers at troymeyers.com
Thu Sep 4 18:21:40 MDT 2008
Joel,
Regarding this one:
> 2) When using records w/ username & password fields for logins, would
> using the format:
>
> $login->AddDBParam('UserID','=="'.$_POST['user_name'].'"'); be safe
> enough to avoid these types of attacks, since FM can't process
> additional code like SQL seemingly can
>
> (e.g. the submission of: ' or 1=1 -- ) ?
... I always use:
$login->AddDBParam('UserID','=='.preg_replace('/([@*#?!=<>"])/','\\\${1}',$_POST['user_name']));
... because otherwise a wild card could be slipped in. This isn't an execution-of-code problem, but just a vulnerability to someone mischievously or not including a search wild card character.
It seems like the double-equal '==' and quotes in:
'=="'.$_POST['user_name'].'"'
...would prevent this, but actually it won't because if a hacker includes a " in the submitted user ID, the " ends the literal and then any subsequent wildcard works.
-Troy
More information about the FX.php_List
mailing list