Create yourself an SQL function that does that :-)


Sincerely,

Maxim Maletsky
Founder, Chief Developer

www.PHPBeginner.com   // where PHP Begins



> -----Original Message-----
> From: Joshua b. Jore [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 25, 2002 10:26 PM
> Cc: [EMAIL PROTECTED]
> Subject: RE: [PHP] PHP Security Leak
> 
> This brings up another issue, how the heck do you get data binding?
For
> the life of me I don't see where the _query functions support SQL
like:
> 
> "SELECT AuthenticateUser(?,?)" where then the first param might be a
> usernamd and the second would be a password. The idea is that without
this
> sort of thing you are vunerable to SQL insertion attacks.
> 
> Joshua b. Jore
> http://www.greentechnologist.org
> 
> On Thu, 25 Apr 2002, Maxim Maletsky (PHPBeginner.com) wrote:
> 
> > > -----Original Message-----
> > > From: Liam Gibbs [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, April 25, 2002 8:20 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [PHP] PHP Security Leak
> > >
> > > I'm wondering if anyone has any ideas on how to make a
> > > login site more secure. Since I'm not really sure if
> > > I've explained myself well enough and don't really
> > > know how else to say it, I'll just give examples and
> > > then you guys can follow suit and mention some
> > > oversights:
> > >
> > > I have a regular logon: username and password. What it
> > > does is, when the user types in a name and pword, it
> > > forwards to another PHP page (a 'middleman' page that
> > > is there just to compare usernames and pwords),
> > > validates by checking the SQL database, then header
> > > forwards to the login page. A cookie is created, and
> > > voila, you're allowed into what we'll call the
> > > 'account pages'. Now, here's my 'security' (notice the
> > > quotes):
> > > 1. You can't log in when the URL includes a username
> > > and/or a password (so that no one can make direct
> > > links).
> > > 2. Same with an account page: you're redirected to the
> > > login page if you include a username and pword when
> > > linking to an account page.
> > > 3. The 'middleman' page also has this protection: you
> > > cna't directly link to it with a username and pword in
> > > the URL. Basically, users can't get into anything when
> > > they include a username and pword in the URL.
> > > 4. Obviously, you don't get access if your username
> > > and password don't match anything in the database
> > > (thought I'd mention it even though it goes without
> > > saying).
> > > 5. You can't login from a page that isn't on the
> > > server.
> > >
> > > Is there any validation or security holes that I'm
> > > overlooking?
> > >
> > >
> >
> > at least this two:
> >
> > 1. Use SSL
> > 2. Store passwords MD5 encrypted in the DB
> >
> >
> >
> > Sincerely,
> >
> > Maxim Maletsky
> > Founder, Chief Developer
> >
> > www.PHPBeginner.com   // where PHP Begins
> >
> >
> >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Games - play chess, backgammon, pool and more
> > > http://games.yahoo.com/
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> 
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to