On 8/2/06, Tore Halset <[EMAIL PROTECTED]> wrote:
On Aug 2, 2006, at 8:09, Øyvind Harboe wrote:
> The only thing I assume here is that it is safe to pass a string from
> an attacker to likeIgnoreCaseExp().
It should be safe as cayenne uses prepared statement, but some jdbc-
drivers have had security holes even for prepared statement. Typicaly
drivers that expand the prepared statement on the client side and
pass it on as a non-prepared statement.
Storing clear text password in the database is almost never a good
solution. I mostly store a sha-1 of the password.
This is used code that needs to be bug by bug compatible. Fun isn't it? :-)
--
Øyvind Harboe
http://www.zylin.com
