[FX.php List] [OFF] Filemaker Web Security?
Joel Shapiro
jsfmp at earthlink.net
Fri Sep 5 13:18:51 MDT 2008
Whoa, thanks Troy!
I know this list has bandied about on using double-equal '==' and
quotes, a la:
'=="'.$_POST['user_name'].'"'
as safe for logins, but read Troy's last line (below). Then try
entering a valid username and then "* (double-quote asterisk) as the
password on a site where you've used that structure!
It seems using preg_replace() at LEAST to strip double-quotes is
really necessary afterall!
Thanks Troy,
-Joel
On Sep 4, 2008, at 5:21 PM, Troy Meyers wrote:
> Joel,
>
> Regarding this one:
>
>> 2) When using records w/ username & password fields for logins, would
>> using the format:
>>
>> $login->AddDBParam('UserID','=="'.$_POST['user_name'].'"'); be
>> safe
>> enough to avoid these types of attacks, since FM can't process
>> additional code like SQL seemingly can
>>
>> (e.g. the submission of: ' or 1=1 -- ) ?
>
> ... I always use:
>
> $login->AddDBParam('UserID','=='.preg_replace('/([@*#?!=<>"])/','\\\
> ${1}',$_POST['user_name']));
>
> ... because otherwise a wild card could be slipped in. This isn't
> an execution-of-code problem, but just a vulnerability to someone
> mischievously or not including a search wild card character.
>
> It seems like the double-equal '==' and quotes in:
> '=="'.$_POST['user_name'].'"'
> ...would prevent this, but actually it won't because if a hacker
> includes a " in the submitted user ID, the " ends the literal and
> then any subsequent wildcard works.
>
> -Troy
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list