Re: [cgiapp] checking passwords using SQL
On Thu, 19 Dec 2002, Thilo Planz wrote: A little bit of an optimization and security check - if all you are doing is comparing if the username and password match, why not let SQL do it? my $query = SELECT count(*) FROM user WHERE USER_ID = ? and USER_PASSWORD = ?; my $sth = $dbh-prepare($query); $sth-execute($user_ID, $pass_word); my ($valid_login) = $sth-fetchrow_array ();#This could also be changed Good call, but one caveat: SQL is case-insensitive. So the password and userid will be compare case-insensitively as well. (I found out about this the hard way...) You could fix this by declaring the columns or the comparison as binary (at least in MySQL). As I understand, the SQL language is case insensitive. So SELECT and WHERE are the same as select and where. I believe whether the entity names are care-sensitive varies by vendor. I just checked that in Postgres I can create tables named Test and test that are seperate. In Postgres it's standard to treat the /contents/ of a field as case-sensitive. So passwords of BIG and big will not be equivalent unless you do an explicit case-insensitive comparison. -mark http://mark.stosberg.com/ - Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [cgiapp] checking passwords using SQL
Unless there is something set in my Oracle startup, I would like to differ :) 1* select 'yes' from DUAL where 'A' = 'a' cms sql / no rows selected cms sql c$'A'$'a' 1* select 'yes' from DUAL where 'a' = 'a' cms sql / 'YE --- yes 1 row selected. Brian Brian T. Wightman [EMAIL PROTECTED] 414.524.4025 [EMAIL PROTECTED] eTo: [EMAIL PROTECTED] cc: [EMAIL PROTECTED], [EMAIL PROTECTED] 12/18/02 07:15 Subject: Re: [cgiapp] checking passwords using SQL PM A little bit of an optimization and security check - if all you are doing is comparing if the username and password match, why not let SQL do it? my $query = SELECT count(*) FROM user WHERE USER_ID = ? and USER_PASSWORD = ?; my $sth = $dbh-prepare($query); $sth-execute($user_ID, $pass_word); my ($valid_login) = $sth-fetchrow_array ();#This could also be changed Good call, but one caveat: SQL is case-insensitive. So the password and userid will be compare case-insensitively as well. (I found out about this the hard way...) You could fix this by declaring the columns or the comparison as binary (at least in MySQL). Thilo - Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [cgiapp] checking passwords using SQL
It depends how you have configured the Oracle Server. It has both the options and can run in case insensitive or case sensitive. Ask the DBA in your area as how they have configured the servers. HTH. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 19, 2002 11:48 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [cgiapp] checking passwords using SQL Unless there is something set in my Oracle startup, I would like to differ :) 1* select 'yes' from DUAL where 'A' = 'a' cms sql / no rows selected cms sql c$'A'$'a' 1* select 'yes' from DUAL where 'a' = 'a' cms sql / 'YE --- yes 1 row selected. Brian Brian T. Wightman [EMAIL PROTECTED] 414.524.4025 [EMAIL PROTECTED] eTo: [EMAIL PROTECTED] cc: [EMAIL PROTECTED], [EMAIL PROTECTED] 12/18/02 07:15 Subject: Re: [cgiapp] checking passwords using SQL PM A little bit of an optimization and security check - if all you are doing is comparing if the username and password match, why not let SQL do it? my $query = SELECT count(*) FROM user WHERE USER_ID = ? and USER_PASSWORD = ?; my $sth = $dbh-prepare($query); $sth-execute($user_ID, $pass_word); my ($valid_login) = $sth-fetchrow_array ();#This could also be changed Good call, but one caveat: SQL is case-insensitive. So the password and userid will be compare case-insensitively as well. (I found out about this the hard way...) You could fix this by declaring the columns or the comparison as binary (at least in MySQL). Thilo - Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [cgiapp] checking passwords using SQL
A little bit of an optimization and security check - if all you are doing is comparing if the username and password match, why not let SQL do it? my $query = SELECT count(*) FROM user WHERE USER_ID = ? and USER_PASSWORD = ?; my $sth = $dbh-prepare($query); $sth-execute($user_ID, $pass_word); my ($valid_login) = $sth-fetchrow_array ();#This could also be changed Good call, but one caveat: SQL is case-insensitive. So the password and userid will be compare case-insensitively as well. (I found out about this the hard way...) You could fix this by declaring the columns or the comparison as binary (at least in MySQL). Thilo - Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]