Re: AW: [Care2002-developers] about patients and personnel in the same table

Sat, 13 Nov 2004 04:51:09 -0800 

Hi Robert

In a password field (attribute) you always must save the password
encrypted. So it doesn't matter the structure of the password itself.
I mean:

SQL query: SELECT * FROM uers WHERE user="$user" AND
password="PASSWORD($passwd)"

Where PASSWORD is a MySQL function to encrypt passwords. This is more
secure because in the DB the field password is encrypted (not in plain
text).

Hope this helps.
-- 
Lic. Alejandro Fern�ndez Herrero
Product Manager
www.all-control.com.ar
> 
El vie, 12-11-2004 a las 11:59, Robert Meggle escribi�:
> Hi Daniel,
> 
> mysql 'sql inject' attack try :
> SQL query: SELECT * FROM uers WHERE user='".$user."' AND
> password='".$passwd."'"
> instead of
> SQL query: SELECT * FROM uers WHERE user="$user" AND password="$passwd"
> 
> The password: aa" or 1=1" will produce follwing (php) SQL-query:
> "SELECT * FROM uers WHERE user='test" AND password='aa\" or 1=1\"'
> instead of
> "SELECT * FROM uers WHERE user=test AND password=aa or 1=1"
> 
> Effecive no positive result for the bad gui.
> 
> When I saw the idea of patients and personel data in the same table it was
> also strange and new for me. But I think it's okay. Why not?
> 
> Robert
> 
> > -----Urspr�ngliche Nachricht-----
> > Von: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Auftrag von
> > Daniel Ignat
> > Gesendet: Freitag, 12. November 2004 11:25
> > An: [EMAIL PROTECTED]
> > Betreff: Re: [Care2002-developers] about patients and personnel in the
> > same table
> >
> >
> > Hi!
> >
> > I saw that also and it seems to me a little bit
> > annoying to mix personnel and patients.. but you
> > also are right about duplicate data if someone
> > from the personnel gets sick..
> >
> > so, my suggestion is this (for the main developers
> > of care2x): is it possible to put an unchecked
> > 'check box' in the 'search person' form, so that
> > you may 'include', *if you want* the personnel
> > data (as an exception), in the search query?..
> >
> > or maybe better, 2 radio buttons:
> >   - only personnel, only patients
> > this way you will not have to look for all the
> > patients (including the filter) either when looking
> > for personnel..
> >
> > it is not difficult for the developer who has done
> > that form, but it would be a great feature for the
> > user. there is only one check box with a text, then
> > a filter in the sql query..
> >
> > PS. I realized that you may use the '%' sql operator
> > in a query.. I don't know if this is a 'feature' or
> > a 'bug'. It may be a security breach. Are you aware
> > of the 'sql inject' attacks? It seems that there is
> > no expression checking on the 'person search' input
> > text.. (but i recognize i didnt have the time to
> > check the code. so, sorry if this isnt true, i just
> > had it in my mind since a while and wanted to warn you)
> >
> > PSS Example of an mysql 'sql inject' attack (I hope
> > to remember it correctly, but if not, you will grasp
> > the idea):
> >
> > <FORM>... etc
> > user: test
> > password: aa" and ""="""
> >                    ^^^^^^^ - this disables your original
> > query if you dont check the user input (which should
> > always be done, with a regular expresion and other
> > mechanisms, like the native functions of php related
> > to slashes, command parsing (see doc for exec(), etc )
> >
> > SQL query: SELECT * FROM uers WHERE user="$user" AND
> > password="$passwd"
> >
> >
> > Regards,
> >
> > --
> > Daniel Ignat
> > PHP Programmer and SysAdmin
> >
> >
> > Elpidio Latorilla wrote:
> > > Hello Walter,
> > >
> > > I just suggested that possibility based on my understanding of
> > your idea to
> > > separate the personal data of the hospital's personnel from the
> > patient data.
> > > Since the personal data are the same, you can use the same
> > structure.  Of
> > > course this means that once a hospital's employee gets sick and himself
> > > becomes that hospital's patient, you might need to reenter his
> > personal data
> > > as a patient. This means double work and redundancy of data.
> > >
> > > I personally wanted to avoid this redundancy thats why there is
> > currently only
> > > one person data table and it also contains the data of the hospital's
> > > personnel.
> > >
> > > But I understood your last posting that you might need a true
> > separation so I
> > > suggested the previous solution.  Please correct me if I am wrong.
> > >
> > > Elpidio
> > >
> > > On Wednesday 10 November 2004 16:33, Walter Nunez wrote:
> > >
> > >>Thank you Elpidio.
> > >>but, in this table..personnel and patients
> > >>� Why they share the same table as original design?
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by:
> > > Sybase ASE Linux Express Edition - download now for FREE
> > > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > > http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
> > > _______________________________________________
> > > Care2002-developers mailing list
> > > [EMAIL PROTECTED]
> > > https://lists.sourceforge.net/lists/listinfo/care2002-developers
> > >
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Sybase ASE Linux Express Edition - download now for FREE
> > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > http://ads.osdn.com/?ad_idU88&alloc_id065&op=ick
> > _______________________________________________
> > Care2002-developers mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/care2002-developers
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Care2002-developers mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/care2002-developers




-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Care2002-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Reply via email to