[FX.php List] Errors searching for email addresses

Jonathan Schwartz jschwartz at exit445.com
Mon Jan 26 11:49:58 MST 2009


Talk to me about spoofing login.

If the "==" is used, how would wildcards succeed?

Thanks

J



At 11:29 AM -0600 1/26/09, Bob Patin wrote:
>This is an often-discussed topic; the other thing to consider is 
>that users can use wildcards to spoof your login system.
>
>Here's what I use in my web apps to validate username and password:
>
>$query->AddDBParam('username',"==".preg_replace('/([@*#?!=<>"])/','\\\${1}',$username));
>$query->AddDBParam('password',"==".preg_replace('/([@*#?!=<>"])/','\\\${1}',$password));
>
>I forget who originally posted this, but it's very useful...
>
>Hope this helps,
>
>Bob Patin
>Longterm Solutions LLC
><mailto:bob at longtermsolutions.com>bob at longtermsolutions.com
>615-333-6858
><http://www.longtermsolutions.com>http://www.longtermsolutions.com
>Twitter: bobpatin
>iChat/AIM: bobpatin
>FileMaker 9 Certified Developer
>Member of FileMaker Business Alliance & TechNet
>--------------------------
>FileMaker hosting and consulting for all versions of FileMaker
>PHP * Full email services * Free DNS hosting * Colocation * Consulting
>
>
>On Jan 26, 2009, at 11:13 AM, 
><mailto:luke at soundtoys.com>luke at soundtoys.com wrote:
>
>>I am using fx.php to check login credentials against our FM db and 
>>the username is the customers email address. I keep getting a 401 
>>error (no matching records) because of the @ being a special symbol 
>>in FM. How do I pass the data as an argument for AddDBParam() such 
>>that it recognizes the '@' as the actual character not the special 
>>symbol.
>>
>>Thanks in advance,
>>
>>-- 
>>
>>
>>/***************************
>>  *   Luke Awtry
>>  *   Audio Plugin Developer
>>  *   SoundToys, Inc.
>>  *   802.951.9700 x207
>>  *   <mailto:luke at soundtoys.com>luke at soundtoys.com
>>  ***************************/
>>_______________________________________________
>>FX.php_List mailing list
>><mailto:FX.php_List at mail.iviking.org>FX.php_List at mail.iviking.org
>><http://www.iviking.org/mailman/listinfo/fx.php_list>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20090126/cd2ed0cf/attachment.html


More information about the FX.php_List mailing list