Re: [openupload-devel] Escaping special password characters
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] Escaping special password characters
|
From: Weir, J. <jas...@nh...> - 2009-08-19 13:28:26
|
I see what you're saying about addslashes at least that's what my 2002 php book says.. Not sure why it works - but addcslahses did not work and eventually locked my account out in AD... -J -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Wednesday, August 19, 2009 9:12 AM To: ope...@li... Subject: Re: [openupload-devel] Escaping special password characters actually the addslashes does not take the detail on what to escape... don't u get a warning? Ho, well I suppose I need first to implement it and than comment on it :) Alessandro Alessandro Briosi ha scritto: > nope, but I'll let u know when I come to the point :) > > Alessandro > > Weir, Jason ha scritto: >> Yup - have you tried addcslashes? It errored on me I had to use >> addslashes... >> >> -J >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Wednesday, August 19, 2009 8:39 AM >> To: OpenUpload Delvel and General talk >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> I have found this which can be of help, there is no ldap_escape >> function >> so your solution seems correct, the only thing is that also the username >> needs to be escaped. >> >> /* Escape any characters with a special meaning in LDAP. The following >> * characters have a special meaning (according to RFC 2253): >> * ',', '+', '"', '\', '<', '>', ';', '*' >> * These characters are escaped by prefixing them with '\'. >> */ >> $username = addcslashes($username, ',+"\\<>;*'); >> $password = addcslashes($password, ',+"\\<>;*'); >> >> but yours seems more complete. >> Alessandro >> >> Weir, Jason ha scritto: >>> Sounds like you are on top of it... >>> >>> Thanks! >>> -J >>> >>> -----Original Message----- >>> From: Alessandro Briosi [mailto:ts...@br...] >>> Sent: Wednesday, August 19, 2009 8:09 AM >>> To: ope...@li...; ab...@me... >>> Subject: Re: [openupload-devel] Escaping special password characters >>> >>> >>> well I use the provided _escape functions from php, which should >>> avoid injection, of course this does not apply to LDAP/AD, though >>> they are not SQL, but have not idea on what could be done with >>> authentication and queries on LDAP. >>> >>> Alessandro >>> >>> Weir, Jason ha scritto: >>>> Aside from the password issue this presents sql injection problems, >>>> all user entered data needs to be filtered in some way... >>>> >>>> Here is a more complete list >>>> >>>> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >>>> >>>> -Jason >>>> >>>> -----Original Message----- >>>> From: Alessandro Briosi [mailto:ts...@br...] >>>> Sent: Tuesday, August 18, 2009 5:30 PM >>>> To: OpenUpload Delvel and General talk >>>> Subject: Re: [openupload-devel] Escaping special password >>>> characters >>>> >>>> >>>> I think I should find a more general version, 'cause maybe we miss >>>> some... >>>> >>>> Thanks, >>>> Alessandro >>>> >>>> Weir, Jason ha scritto: >>>>> I added the following line to ldap.inc.php right after line 42 in >>>>> the authenticate function >>>>> >>>>> $password = addslashes($password, '!\',+"\\<>;*'); >>>>> >>>>> It fixed my problem - hope it helps someone else. >>>>> >>>>> -Jason >>>> ___________________________________________________________________ >>>> __ >>>> _ >>>> _______________________ >>>> >>>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>>> and >>>> updates. >>>> ------------------------------------------------------------------------------ >>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>>> trial. Simplify your report design, integration and deployment - and focus on >>>> what you do best, core application coding. Discover what's new with >>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>>> _______________________________________________ >>>> Openupload-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >>> -------------------------------------------------------------------- >>> -- >>> -------- >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >>> Openupload-devel mailing list Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >>> >>> >>> ____________________________________________________________________ >>> __ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>> and >>> updates. >>> >>> >>> ____________________________________________________________________ >>> __ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>> and >>> updates. >>> ------------------------------------------------------------------------------ >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>> _______________________________________________ >>> Openupload-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> --------------------------------------------------------------------- >> --------- >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >> Openupload-devel mailing list Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> >> >> _____________________________________________________________________ >> ________________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements >> and updates. >> >> >> _____________________________________________________________________ >> ________________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements >> and updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ---------------------------------------------------------------------- > -------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openupload-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openupload-devel _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
