[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed Mar 17 23:05:40 2004 -->
- <!--x-from-r13: bybela ng orafubzr.arg (Pra Qbyrzna) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] User authentication in web app -->
- <li><em>date</em>: Wed Mar 17 23:05:40 2004</li>
- <li><em>from</em>: oloryn at benshome.net (Ben Coleman)</li>
- <li><em>in-reply-to</em>: <<a href="msg00599.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00597.html">[email protected]</a>> <<a href="msg00599.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] User authentication in web app</li>
- Hash: SHA1
George Carless wrote:
| I don't understand.. why return/handle rows that are of no interest to
| you, instead of checking the password within the query?
Suppose two or more users have the same password? You'll get multiple
rows back from your select, and you'll have to check each of them to see
if they match the user's username. You do want to make sure the
password entered matches the username entered, don't you?
If you're only checking that the password exists within the database,
you've made the job of someone trying to break into your system a lot
easier. Instead of having to guess at the password for a particular
user, he only has to guess at a password that any one of your users
might be using. You *will* have users that choose weak passwords, and
if you're not checking the username, the earstwhile cracker doesn't need
to match the password to the user using it. For that matter, he doesn't
even need to come up with a valid username. Just guess at typical weak
passwords and if any of your users have used on, he's in.
Ben
- --
Ben Coleman oloryn at benshome.net | The attempt to legislatively
<a rel="nofollow" href="http://oloryn.home.mindspring.com/";>http://oloryn.home.mindspring.com/</a> | micromanage equality results, at
Amateur Radio NJ8J | best, in equal misery for all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Thunderbird - <a rel="nofollow" href="http://enigmail.mozdev.org";>http://enigmail.mozdev.org</a>
iD8DBQFAWR+OQBcsLKrSBE8RAot/AJ95eSY4dX4vHbC1n0Ki4bPGbJk0KQCfY5Ca
/ddsVEUR22UYR2YBjiKKXiQ=
=uCwZ
-----END PGP SIGNATURE-----
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00661" href="msg00661.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00597" href="msg00597.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> mainwizard at vei.net (mainwizard at vei.net)</li></ul></li>
<li><strong><a name="00599" href="msg00599.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00647.html">[ale] {Spam?} spam flood</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00649.html">[ale] SW Raid</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00599.html">[ale] User authentication in web app</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00661.html">[ale] User authentication in web app</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00648"><strong>Date</strong></a></li>
<li><a href="threads.html#00648"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>