Unless there is something set in my Oracle startup, I would like to differ :)
1* select 'yes' from DUAL where 'A' = 'a' cms sql> / no rows selected cms sql> c$'A'$'a' 1* select 'yes' from DUAL where 'a' = 'a' cms sql> / 'YE --- yes 1 row selected. Brian ---- Brian T. Wightman [EMAIL PROTECTED] 414.524.4025 [EMAIL PROTECTED] e To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED], [EMAIL PROTECTED] 12/18/02 07:15 Subject: Re: [cgiapp] checking passwords using SQL PM > A little bit of an optimization and security check - if all you are > doing > is comparing if the username and password match, why not let SQL do it? > > my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and > USER_PASSWORD = ?"; > my $sth = $dbh->prepare($query); > $sth->execute($user_ID, $pass_word); > my ($valid_login) = $sth->fetchrow_array (); #This could also > be > changed.... Good call, but one caveat: SQL is case-insensitive. So the password and userid will be compare case-insensitively as well. (I found out about this the hard way...) You could fix this by declaring the columns or the comparison as binary (at least in MySQL). Thilo --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]