On Aug 2, 2006, at 8:09, Øyvind Harboe wrote:
The only thing I assume here is that it is safe to pass a string from an attacker to likeIgnoreCaseExp().
It should be safe as cayenne uses prepared statement, but some jdbc- drivers have had security holes even for prepared statement. Typicaly drivers that expand the prepared statement on the client side and pass it on as a non-prepared statement.
Storing clear text password in the database is almost never a good solution. I mostly store a sha-1 of the password.
- Tore.
