Create yourself an SQL function that does that :-)
Sincerely, Maxim Maletsky Founder, Chief Developer www.PHPBeginner.com // where PHP Begins > -----Original Message----- > From: Joshua b. Jore [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 10:26 PM > Cc: [EMAIL PROTECTED] > Subject: RE: [PHP] PHP Security Leak > > This brings up another issue, how the heck do you get data binding? For > the life of me I don't see where the _query functions support SQL like: > > "SELECT AuthenticateUser(?,?)" where then the first param might be a > usernamd and the second would be a password. The idea is that without this > sort of thing you are vunerable to SQL insertion attacks. > > Joshua b. Jore > http://www.greentechnologist.org > > On Thu, 25 Apr 2002, Maxim Maletsky (PHPBeginner.com) wrote: > > > > -----Original Message----- > > > From: Liam Gibbs [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, April 25, 2002 8:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: [PHP] PHP Security Leak > > > > > > I'm wondering if anyone has any ideas on how to make a > > > login site more secure. Since I'm not really sure if > > > I've explained myself well enough and don't really > > > know how else to say it, I'll just give examples and > > > then you guys can follow suit and mention some > > > oversights: > > > > > > I have a regular logon: username and password. What it > > > does is, when the user types in a name and pword, it > > > forwards to another PHP page (a 'middleman' page that > > > is there just to compare usernames and pwords), > > > validates by checking the SQL database, then header > > > forwards to the login page. A cookie is created, and > > > voila, you're allowed into what we'll call the > > > 'account pages'. Now, here's my 'security' (notice the > > > quotes): > > > 1. You can't log in when the URL includes a username > > > and/or a password (so that no one can make direct > > > links). > > > 2. Same with an account page: you're redirected to the > > > login page if you include a username and pword when > > > linking to an account page. > > > 3. The 'middleman' page also has this protection: you > > > cna't directly link to it with a username and pword in > > > the URL. Basically, users can't get into anything when > > > they include a username and pword in the URL. > > > 4. Obviously, you don't get access if your username > > > and password don't match anything in the database > > > (thought I'd mention it even though it goes without > > > saying). > > > 5. You can't login from a page that isn't on the > > > server. > > > > > > Is there any validation or security holes that I'm > > > overlooking? > > > > > > > > > > at least this two: > > > > 1. Use SSL > > 2. Store passwords MD5 encrypted in the DB > > > > > > > > Sincerely, > > > > Maxim Maletsky > > Founder, Chief Developer > > > > www.PHPBeginner.com // where PHP Begins > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Games - play chess, backgammon, pool and more > > > http://games.yahoo.com/ > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
