Thread: [openupload-devel] Escaping special password characters
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
openupload-devel
|
From: Weir, J. <jas...@nh...> - 2009-08-18 19:54:47
|
I added the following line to ldap.inc.php right after line 42 in the authenticate function $password = addslashes($password, '!\',+"\\<>;*'); It fixed my problem - hope it helps someone else. -Jason _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-18 21:30:17
|
I think I should find a more general version, 'cause maybe we miss some... Thanks, Alessandro Weir, Jason ha scritto: > I added the following line to ldap.inc.php right after line 42 in the > authenticate function > > $password = addslashes($password, '!\',+"\\<>;*'); > > It fixed my problem - hope it helps someone else. > > -Jason > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Weir, J. <jas...@nh...> - 2009-08-19 11:43:24
|
Aside from the password issue this presents sql injection problems, all user entered data needs to be filtered in some way... Here is a more complete list $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); -Jason -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Tuesday, August 18, 2009 5:30 PM To: OpenUpload Delvel and General talk Subject: Re: [openupload-devel] Escaping special password characters I think I should find a more general version, 'cause maybe we miss some... Thanks, Alessandro Weir, Jason ha scritto: > I added the following line to ldap.inc.php right after line 42 in the > authenticate function > > $password = addslashes($password, '!\',+"\\<>;*'); > > It fixed my problem - hope it helps someone else. > > -Jason _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-19 12:09:37
|
well I use the provided _escape functions from php, which should avoid injection, of course this does not apply to LDAP/AD, though they are not SQL, but have not idea on what could be done with authentication and queries on LDAP. Alessandro Weir, Jason ha scritto: > Aside from the password issue this presents sql injection problems, all user entered data needs to be filtered in some way... > > Here is a more complete list > > $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); > > -Jason > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Tuesday, August 18, 2009 5:30 PM > To: OpenUpload Delvel and General talk > Subject: Re: [openupload-devel] Escaping special password characters > > > I think I should find a more general version, 'cause maybe we miss some... > > Thanks, > Alessandro > > Weir, Jason ha scritto: >> I added the following line to ldap.inc.php right after line 42 in the >> authenticate function >> >> $password = addslashes($password, '!\',+"\\<>;*'); >> >> It fixed my problem - hope it helps someone else. >> >> -Jason > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Weir, J. <jas...@nh...> - 2009-08-19 12:11:27
|
Sounds like you are on top of it... Thanks! -J -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Wednesday, August 19, 2009 8:09 AM To: ope...@li...; ab...@me... Subject: Re: [openupload-devel] Escaping special password characters well I use the provided _escape functions from php, which should avoid injection, of course this does not apply to LDAP/AD, though they are not SQL, but have not idea on what could be done with authentication and queries on LDAP. Alessandro Weir, Jason ha scritto: > Aside from the password issue this presents sql injection problems, > all user entered data needs to be filtered in some way... > > Here is a more complete list > > $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); > > -Jason > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Tuesday, August 18, 2009 5:30 PM > To: OpenUpload Delvel and General talk > Subject: Re: [openupload-devel] Escaping special password characters > > > I think I should find a more general version, 'cause maybe we miss > some... > > Thanks, > Alessandro > > Weir, Jason ha scritto: >> I added the following line to ldap.inc.php right after line 42 in the >> authenticate function >> >> $password = addslashes($password, '!\',+"\\<>;*'); >> >> It fixed my problem - hope it helps someone else. >> >> -Jason > > > ______________________________________________________________________ > _______________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and > updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openupload-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openupload-devel _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-19 12:39:17
|
I have found this which can be of help, there is no ldap_escape function so your solution seems correct, the only thing is that also the username needs to be escaped. /* Escape any characters with a special meaning in LDAP. The following * characters have a special meaning (according to RFC 2253): * ',', '+', '"', '\', '<', '>', ';', '*' * These characters are escaped by prefixing them with '\'. */ $username = addcslashes($username, ',+"\\<>;*'); $password = addcslashes($password, ',+"\\<>;*'); but yours seems more complete. Alessandro Weir, Jason ha scritto: > Sounds like you are on top of it... > > Thanks! > -J > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Wednesday, August 19, 2009 8:09 AM > To: ope...@li...; ab...@me... > Subject: Re: [openupload-devel] Escaping special password characters > > > well I use the provided _escape functions from php, which should avoid > injection, of course this does not apply to LDAP/AD, though they are not > SQL, but have not idea on what could be done with authentication and > queries on LDAP. > > Alessandro > > Weir, Jason ha scritto: >> Aside from the password issue this presents sql injection problems, >> all user entered data needs to be filtered in some way... >> >> Here is a more complete list >> >> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >> >> -Jason >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Tuesday, August 18, 2009 5:30 PM >> To: OpenUpload Delvel and General talk >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> I think I should find a more general version, 'cause maybe we miss >> some... >> >> Thanks, >> Alessandro >> >> Weir, Jason ha scritto: >>> I added the following line to ldap.inc.php right after line 42 in the >>> authenticate function >>> >>> $password = addslashes($password, '!\',+"\\<>;*'); >>> >>> It fixed my problem - hope it helps someone else. >>> >>> -Jason >> >> ______________________________________________________________________ >> _______________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements and >> updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ > Openupload-devel mailing list Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Weir, J. <jas...@nh...> - 2009-08-19 12:56:54
|
Yup - have you tried addcslashes? It errored on me I had to use addslashes... -J -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Wednesday, August 19, 2009 8:39 AM To: OpenUpload Delvel and General talk Subject: Re: [openupload-devel] Escaping special password characters I have found this which can be of help, there is no ldap_escape function so your solution seems correct, the only thing is that also the username needs to be escaped. /* Escape any characters with a special meaning in LDAP. The following * characters have a special meaning (according to RFC 2253): * ',', '+', '"', '\', '<', '>', ';', '*' * These characters are escaped by prefixing them with '\'. */ $username = addcslashes($username, ',+"\\<>;*'); $password = addcslashes($password, ',+"\\<>;*'); but yours seems more complete. Alessandro Weir, Jason ha scritto: > Sounds like you are on top of it... > > Thanks! > -J > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Wednesday, August 19, 2009 8:09 AM > To: ope...@li...; ab...@me... > Subject: Re: [openupload-devel] Escaping special password characters > > > well I use the provided _escape functions from php, which should avoid > injection, of course this does not apply to LDAP/AD, though they are not > SQL, but have not idea on what could be done with authentication and > queries on LDAP. > > Alessandro > > Weir, Jason ha scritto: >> Aside from the password issue this presents sql injection problems, >> all user entered data needs to be filtered in some way... >> >> Here is a more complete list >> >> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >> >> -Jason >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Tuesday, August 18, 2009 5:30 PM >> To: OpenUpload Delvel and General talk >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> I think I should find a more general version, 'cause maybe we miss >> some... >> >> Thanks, >> Alessandro >> >> Weir, Jason ha scritto: >>> I added the following line to ldap.inc.php right after line 42 in >>> the authenticate function >>> >>> $password = addslashes($password, '!\',+"\\<>;*'); >>> >>> It fixed my problem - hope it helps someone else. >>> >>> -Jason >> >> _____________________________________________________________________ >> _ >> _______________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements >> and >> updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ---------------------------------------------------------------------- > -------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ > Openupload-devel mailing list Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel > > > ______________________________________________________________________ > _______________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and > updates. > > > ______________________________________________________________________ > _______________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and > updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openupload-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openupload-devel _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-19 13:08:45
|
nope, but I'll let u know when I come to the point :) Alessandro Weir, Jason ha scritto: > Yup - have you tried addcslashes? It errored on me I had to use addslashes... > > -J > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Wednesday, August 19, 2009 8:39 AM > To: OpenUpload Delvel and General talk > Subject: Re: [openupload-devel] Escaping special password characters > > > I have found this which can be of help, there is no ldap_escape function > so your solution seems correct, the only thing is that also the username > needs to be escaped. > > /* Escape any characters with a special meaning in LDAP. The following > * characters have a special meaning (according to RFC 2253): > * ',', '+', '"', '\', '<', '>', ';', '*' > * These characters are escaped by prefixing them with '\'. > */ > $username = addcslashes($username, ',+"\\<>;*'); > $password = addcslashes($password, ',+"\\<>;*'); > > but yours seems more complete. > Alessandro > > Weir, Jason ha scritto: >> Sounds like you are on top of it... >> >> Thanks! >> -J >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Wednesday, August 19, 2009 8:09 AM >> To: ope...@li...; ab...@me... >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> well I use the provided _escape functions from php, which should avoid >> injection, of course this does not apply to LDAP/AD, though they are not >> SQL, but have not idea on what could be done with authentication and >> queries on LDAP. >> >> Alessandro >> >> Weir, Jason ha scritto: >>> Aside from the password issue this presents sql injection problems, >>> all user entered data needs to be filtered in some way... >>> >>> Here is a more complete list >>> >>> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >>> >>> -Jason >>> >>> -----Original Message----- >>> From: Alessandro Briosi [mailto:ts...@br...] >>> Sent: Tuesday, August 18, 2009 5:30 PM >>> To: OpenUpload Delvel and General talk >>> Subject: Re: [openupload-devel] Escaping special password characters >>> >>> >>> I think I should find a more general version, 'cause maybe we miss >>> some... >>> >>> Thanks, >>> Alessandro >>> >>> Weir, Jason ha scritto: >>>> I added the following line to ldap.inc.php right after line 42 in >>>> the authenticate function >>>> >>>> $password = addslashes($password, '!\',+"\\<>;*'); >>>> >>>> It fixed my problem - hope it helps someone else. >>>> >>>> -Jason >>> _____________________________________________________________________ >>> _ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>> and >>> updates. >>> ------------------------------------------------------------------------------ >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>> _______________________________________________ >>> Openupload-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> ---------------------------------------------------------------------- >> -------- >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >> Openupload-devel mailing list Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> >> >> ______________________________________________________________________ >> _______________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements and >> updates. >> >> >> ______________________________________________________________________ >> _______________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements and >> updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ > Openupload-devel mailing list Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Alessandro B. <ts...@br...> - 2009-08-19 13:12:25
|
actually the addslashes does not take the detail on what to escape... don't u get a warning? Ho, well I suppose I need first to implement it and than comment on it :) Alessandro Alessandro Briosi ha scritto: > nope, but I'll let u know when I come to the point :) > > Alessandro > > Weir, Jason ha scritto: >> Yup - have you tried addcslashes? It errored on me I had to use addslashes... >> >> -J >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Wednesday, August 19, 2009 8:39 AM >> To: OpenUpload Delvel and General talk >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> I have found this which can be of help, there is no ldap_escape function >> so your solution seems correct, the only thing is that also the username >> needs to be escaped. >> >> /* Escape any characters with a special meaning in LDAP. The following >> * characters have a special meaning (according to RFC 2253): >> * ',', '+', '"', '\', '<', '>', ';', '*' >> * These characters are escaped by prefixing them with '\'. >> */ >> $username = addcslashes($username, ',+"\\<>;*'); >> $password = addcslashes($password, ',+"\\<>;*'); >> >> but yours seems more complete. >> Alessandro >> >> Weir, Jason ha scritto: >>> Sounds like you are on top of it... >>> >>> Thanks! >>> -J >>> >>> -----Original Message----- >>> From: Alessandro Briosi [mailto:ts...@br...] >>> Sent: Wednesday, August 19, 2009 8:09 AM >>> To: ope...@li...; ab...@me... >>> Subject: Re: [openupload-devel] Escaping special password characters >>> >>> >>> well I use the provided _escape functions from php, which should avoid >>> injection, of course this does not apply to LDAP/AD, though they are not >>> SQL, but have not idea on what could be done with authentication and >>> queries on LDAP. >>> >>> Alessandro >>> >>> Weir, Jason ha scritto: >>>> Aside from the password issue this presents sql injection problems, >>>> all user entered data needs to be filtered in some way... >>>> >>>> Here is a more complete list >>>> >>>> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >>>> >>>> -Jason >>>> >>>> -----Original Message----- >>>> From: Alessandro Briosi [mailto:ts...@br...] >>>> Sent: Tuesday, August 18, 2009 5:30 PM >>>> To: OpenUpload Delvel and General talk >>>> Subject: Re: [openupload-devel] Escaping special password characters >>>> >>>> >>>> I think I should find a more general version, 'cause maybe we miss >>>> some... >>>> >>>> Thanks, >>>> Alessandro >>>> >>>> Weir, Jason ha scritto: >>>>> I added the following line to ldap.inc.php right after line 42 in >>>>> the authenticate function >>>>> >>>>> $password = addslashes($password, '!\',+"\\<>;*'); >>>>> >>>>> It fixed my problem - hope it helps someone else. >>>>> >>>>> -Jason >>>> _____________________________________________________________________ >>>> _ >>>> _______________________ >>>> >>>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>>> and >>>> updates. >>>> ------------------------------------------------------------------------------ >>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>>> trial. Simplify your report design, integration and deployment - and focus on >>>> what you do best, core application coding. Discover what's new with >>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>>> _______________________________________________ >>>> Openupload-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >>> ---------------------------------------------------------------------- >>> -------- >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >>> Openupload-devel mailing list Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >>> >>> >>> ______________________________________________________________________ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements and >>> updates. >>> >>> >>> ______________________________________________________________________ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements and >>> updates. >>> ------------------------------------------------------------------------------ >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>> _______________________________________________ >>> Openupload-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >> Openupload-devel mailing list Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> >> >> _____________________________________________________________________________________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. >> >> >> _____________________________________________________________________________________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Weir, J. <jas...@nh...> - 2009-08-19 13:28:26
|
I see what you're saying about addslashes at least that's what my 2002 php book says.. Not sure why it works - but addcslahses did not work and eventually locked my account out in AD... -J -----Original Message----- From: Alessandro Briosi [mailto:ts...@br...] Sent: Wednesday, August 19, 2009 9:12 AM To: ope...@li... Subject: Re: [openupload-devel] Escaping special password characters actually the addslashes does not take the detail on what to escape... don't u get a warning? Ho, well I suppose I need first to implement it and than comment on it :) Alessandro Alessandro Briosi ha scritto: > nope, but I'll let u know when I come to the point :) > > Alessandro > > Weir, Jason ha scritto: >> Yup - have you tried addcslashes? It errored on me I had to use >> addslashes... >> >> -J >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Wednesday, August 19, 2009 8:39 AM >> To: OpenUpload Delvel and General talk >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> I have found this which can be of help, there is no ldap_escape >> function >> so your solution seems correct, the only thing is that also the username >> needs to be escaped. >> >> /* Escape any characters with a special meaning in LDAP. The following >> * characters have a special meaning (according to RFC 2253): >> * ',', '+', '"', '\', '<', '>', ';', '*' >> * These characters are escaped by prefixing them with '\'. >> */ >> $username = addcslashes($username, ',+"\\<>;*'); >> $password = addcslashes($password, ',+"\\<>;*'); >> >> but yours seems more complete. >> Alessandro >> >> Weir, Jason ha scritto: >>> Sounds like you are on top of it... >>> >>> Thanks! >>> -J >>> >>> -----Original Message----- >>> From: Alessandro Briosi [mailto:ts...@br...] >>> Sent: Wednesday, August 19, 2009 8:09 AM >>> To: ope...@li...; ab...@me... >>> Subject: Re: [openupload-devel] Escaping special password characters >>> >>> >>> well I use the provided _escape functions from php, which should >>> avoid injection, of course this does not apply to LDAP/AD, though >>> they are not SQL, but have not idea on what could be done with >>> authentication and queries on LDAP. >>> >>> Alessandro >>> >>> Weir, Jason ha scritto: >>>> Aside from the password issue this presents sql injection problems, >>>> all user entered data needs to be filtered in some way... >>>> >>>> Here is a more complete list >>>> >>>> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >>>> >>>> -Jason >>>> >>>> -----Original Message----- >>>> From: Alessandro Briosi [mailto:ts...@br...] >>>> Sent: Tuesday, August 18, 2009 5:30 PM >>>> To: OpenUpload Delvel and General talk >>>> Subject: Re: [openupload-devel] Escaping special password >>>> characters >>>> >>>> >>>> I think I should find a more general version, 'cause maybe we miss >>>> some... >>>> >>>> Thanks, >>>> Alessandro >>>> >>>> Weir, Jason ha scritto: >>>>> I added the following line to ldap.inc.php right after line 42 in >>>>> the authenticate function >>>>> >>>>> $password = addslashes($password, '!\',+"\\<>;*'); >>>>> >>>>> It fixed my problem - hope it helps someone else. >>>>> >>>>> -Jason >>>> ___________________________________________________________________ >>>> __ >>>> _ >>>> _______________________ >>>> >>>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>>> and >>>> updates. >>>> ------------------------------------------------------------------------------ >>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>>> trial. Simplify your report design, integration and deployment - and focus on >>>> what you do best, core application coding. Discover what's new with >>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>>> _______________________________________________ >>>> Openupload-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >>> -------------------------------------------------------------------- >>> -- >>> -------- >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >>> Openupload-devel mailing list Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >>> >>> >>> ____________________________________________________________________ >>> __ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>> and >>> updates. >>> >>> >>> ____________________________________________________________________ >>> __ >>> _______________________ >>> >>> Please visit www.nhrs.org to subscribe to NHRS email announcements >>> and >>> updates. >>> ------------------------------------------------------------------------------ >>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>> trial. Simplify your report design, integration and deployment - and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>> _______________________________________________ >>> Openupload-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> --------------------------------------------------------------------- >> --------- >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ >> Openupload-devel mailing list Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel >> >> >> _____________________________________________________________________ >> ________________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements >> and updates. >> >> >> _____________________________________________________________________ >> ________________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements >> and updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ---------------------------------------------------------------------- > -------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openupload-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openupload-devel _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. |
|
From: Alessandro B. <ts...@br...> - 2009-08-19 12:45:54
|
I added a bug so it does not get forgotten. Alessandro Weir, Jason ha scritto: > Sounds like you are on top of it... > > Thanks! > -J > > -----Original Message----- > From: Alessandro Briosi [mailto:ts...@br...] > Sent: Wednesday, August 19, 2009 8:09 AM > To: ope...@li...; ab...@me... > Subject: Re: [openupload-devel] Escaping special password characters > > > well I use the provided _escape functions from php, which should avoid > injection, of course this does not apply to LDAP/AD, though they are not > SQL, but have not idea on what could be done with authentication and > queries on LDAP. > > Alessandro > > Weir, Jason ha scritto: >> Aside from the password issue this presents sql injection problems, >> all user entered data needs to be filtered in some way... >> >> Here is a more complete list >> >> $password = addslashes($password, '\;%_:$&?-+=*[]()¡"\"´`'); >> >> -Jason >> >> -----Original Message----- >> From: Alessandro Briosi [mailto:ts...@br...] >> Sent: Tuesday, August 18, 2009 5:30 PM >> To: OpenUpload Delvel and General talk >> Subject: Re: [openupload-devel] Escaping special password characters >> >> >> I think I should find a more general version, 'cause maybe we miss >> some... >> >> Thanks, >> Alessandro >> >> Weir, Jason ha scritto: >>> I added the following line to ldap.inc.php right after line 42 in the >>> authenticate function >>> >>> $password = addslashes($password, '!\',+"\\<>;*'); >>> >>> It fixed my problem - hope it helps someone else. >>> >>> -Jason >> >> ______________________________________________________________________ >> _______________________ >> >> Please visit www.nhrs.org to subscribe to NHRS email announcements and >> updates. >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >> trial. Simplify your report design, integration and deployment - and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openupload-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openupload-devel > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ > Openupload-devel mailing list Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > > > _____________________________________________________________________________________________ > > Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
Thanks for helping keep SourceForge clean.
X