[Propel Login] Login with * or % #1688

Closed
stood opened this Issue Nov 28, 2014 · 3 comments

Comments

Projects
None yet
4 participants
@stood

stood commented Nov 28, 2014

When I login with * and my password I am identified

For example
My username is : "myusername" and password is : "mypwd"

If I fill login fields wih username "myuserna*" and password "mypwd" I am identified

The sql generate : Criteria: SQL (may not be complete): SELECT FROM fos_user WHERE fos_user.username_canonical LIKE :p1 Params: fos_user.username_canonical => 'myuserna%'

@stood

This comment has been minimized.

Show comment
Hide comment
@stood

stood Nov 28, 2014

With propel :

      $query->filterByUsername('fooValue');   // WHERE username = 'fooValue'
     $query->filterByUsername('%fooValue%'); // WHERE username LIKE '%fooValue%'

The solution will to use

filterByUsername($username, \Criteria::EQUAL)

stood commented Nov 28, 2014

With propel :

      $query->filterByUsername('fooValue');   // WHERE username = 'fooValue'
     $query->filterByUsername('%fooValue%'); // WHERE username LIKE '%fooValue%'

The solution will to use

filterByUsername($username, \Criteria::EQUAL)
@JHGitty

This comment has been minimized.

Show comment
Hide comment
@JHGitty

JHGitty May 3, 2015

This sounds like a security issue.

JHGitty commented May 3, 2015

This sounds like a security issue.

@stof

This comment has been minimized.

Show comment
Hide comment
@stof

stof May 4, 2015

Member

@stood can you send a PR (to the 1.3.x branch) ? I'm not using Propel myself. The implementation was contributed by the community.

Member

stof commented May 4, 2015

@stood can you send a PR (to the 1.3.x branch) ? I'm not using Propel myself. The implementation was contributed by the community.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment