auth_custom not working in 8.6.3

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

auth_custom not working in 8.6.3

beaniite
I have many sites using 8.5 and auth_custom for authentication and they have been working for years.

Now I have a new machine and lasso 8.6.3 and auth_custom is not working.

What is up?

Has something changed?

Here is the code that works on 8.5 but not on 8.6.3

define_tag('MACrenewal2015_check',-required='username',-required='realm');
        local('l_sql' = '
        SELECT email, customer_id
        FROM customers
        WHERE email = "'+#username+'"
        ');
        inline(-database=‘database',-sql=#l_sql,-maxrecords='all');
                if: found_count == 1;
                        return(column('customer_id'));
                /if;
        /inline;
        return(NULL);
/define_tag;

auth_custom(-authtag=‘MACrenewal2015_check',-realm='MAC 2015 Renewal');

Gordon


---------------------------------

Gordon Nord
Nord Consultants
20933 Killawog Terrace
Ashburn VA 20147-7148 USA
01 703 403 2776
[hidden email]

---------------------------------


#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: auth_custom not working in 8.6.3

stevepiercy
(1)  I never use this tag, but based on the documentation, this should work:

    auth_custom('u','p','r');
    'hello';

However when I enter "u" and "p" for the username and password, authentication fails.

I'd suggest that you file a bug for 8.6.
http://www.lassosoft.com/rhinotrac

Looks like it's not just 8.6 either.
http://www.lassosoft.com/rhinotrac?id=7425

(2)  You have an SQL injection vulnerability in your code.

    WHERE email = "'+#username+'"
   
s/b

    WHERE email = "'+encode_sql(#username)+'"

--steve


On 10/6/14 at 8:40 PM, [hidden email] (Gordon Nord) pronounced:

> I have many sites using 8.5 and auth_custom for authentication and they have been
> working for years.
>
> Now I have a new machine and lasso 8.6.3 and auth_custom is not working.
>
> What is up?
>
> Has something changed?
>
> Here is the code that works on 8.5 but not on 8.6.3
>
> define_tag('MACrenewal2015_check',-required='username',-required='realm');
>   local('l_sql' = '
>   SELECT email, customer_id
>   FROM customers
>   WHERE email = "'+#username+'"
>   ');
>   inline(-database=‘database',-sql=#l_sql,-maxrecords='all');
>       if: found_count == 1;
>           return(column('customer_id'));
>       /if;
>   /inline;
>   return(NULL);
> /define_tag;
>
> auth_custom(-authtag=‘MACrenewal2015_check',-realm='MAC 2015 Renewal');
>
> Gordon
>
>
> ---------------------------------
>
> Gordon Nord
> Nord Consultants
> 20933 Killawog Terrace
> Ashburn VA 20147-7148 USA
> 01 703 403 2776
> [hidden email]
>
> ---------------------------------
>
>
> #############################################################
> Attend the Lasso Developer Conference 2014!
> October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
> http://www.lassosoft.com/LDC-newmarket-2014
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>