At 02:00 PM 3/16/2001 -0600, you wrote:
>First, I would NOT store passwords in a database. Rather, I'd store a hash
>based upon the password and username. Storing a password is dangerous as
>regards security.
Just to be a little picky and *not* to start an argument (discussion yes),
this really depends on the application don't you think? If you are not
using a secure web server and you are not doing anything particularly
sensitive, I do not see a problem with plain text passwords. Hashing them
means you have to come up with alternative system for dealing with lost
passwords which is probably just as likely to be a problem as having plain
text passwords in the first place. If you are not using a secure server
you are still transmitting plain text values over the net so at best this
seems a false sense of security.
If this is an e-commerce setup then I agree, go for the "hash" but if it is
just a little community site or something, is the loss of usability (i.e.
easy password recovery) worth the hassle for users and admins? I have been
wrestling with this a lot lately and am still not convinced that for a
simple application this is justified. Can you suggest a reason why I should
rethink this?
>Finally, as far as a query:
> SELECT * FROM mytable WHERE access <= $level;
Now this is just nitpicking but the above query could lead someone to
create a security problem (since that is what we are concerned about
here). I think a better example would be something like:
$query=sprintf("SELECT table.cola,table.colb,table.colc FROM mytable WHERE
access <= %d",$level);
This way, nothing can be slipped into the query via "$level".
Cheers
-----------------------------------------------------------------------------
Island Net AMT Solutions Group Inc. Telephone: 250 383-0096
1412 Quadra Toll Free: 1 800 331-3055
Victoria, B.C. Fax: 250 383-6698
V8W 2L1 E-Mail: [EMAIL PROTECTED]
Canada WWW: http://www.islandnet.com/
-----------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]