[FX.php List] [OFF] Filemaker Web Security?

Joel Shapiro jsfmp at earthlink.net
Fri Sep 5 17:15:36 MDT 2008 

FYI-

Since I don't need to be as restrictive as Troy on what are valid  
characters, I'm only stripping out all double-quotes in the  
submission (just via str_replace), and I'm keeping the double-quotes  
on either side of the $_POST.  This way someone could create a  
password like "p at 55w0rd", and the @ would be legitimate and  
retrievable -- while submitting "* would not validate, as it does  
without the str_replace().

$login->AddDBParam('Pass', '=="' . str_replace('"', '', $_POST 
['password']) . '"');

(anyone please let me know if this can break)

-Joel


On Sep 5, 2008, at 12:18 PM, Joel Shapiro wrote:

> Whoa, thanks Troy!
>
> I know this list has bandied about on using double-equal '==' and  
> quotes, a la:
>  '=="'.$_POST['user_name'].'"'
> as safe for logins, but read Troy's last line (below).  Then try  
> entering a valid username and then "* (double-quote asterisk) as  
> the password on a site where you've used that structure!
>
> It seems using preg_replace() at LEAST to strip double-quotes is  
> really necessary afterall!
>
> Thanks Troy,
> -Joel
>
>
> On Sep 4, 2008, at 5:21 PM, Troy Meyers wrote:
>
>> Joel,
>>
>> Regarding this one:
>>
>>> 2) When using records w/ username & password fields for logins,  
>>> would
>>> using the format:
>>>
>>>     $login->AddDBParam('UserID','=="'.$_POST['user_name'].'"');  
>>> be safe
>>> enough to avoid these types of attacks, since FM can't   process
>>> additional code like SQL seemingly can
>>>
>>> (e.g. the submission of: ' or 1=1 -- ) ?
>>
>> ... I always use:
>>
>> $login->AddDBParam('UserID','=='.preg_replace('/([@*#?!=<>"])/','\\ 
>> \${1}',$_POST['user_name']));
>>
>> ... because otherwise a wild card could be slipped in. This isn't  
>> an execution-of-code problem, but just a vulnerability to someone  
>> mischievously or not including a search wild card character.
>>
>> It seems like the double-equal '==' and quotes in:
>> '=="'.$_POST['user_name'].'"'
>> ...would prevent this, but actually it won't because if a hacker  
>> includes a " in the submitted user ID, the " ends the literal and  
>> then any subsequent wildcard works.
>>
>> -Troy
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list