didn't pick this up until after the weekend.
but i completely agree.
i use plain text passwords in the stuff i use at work (just intranet sheared
calendars) but i wouls also argue if they (hackers) have access to your db,
to get at your passwords, then your system is gone anyway.
i have a table storing userrnames and passwords and a seperate table storing
access levels.
-----Original Message-----
From: Ron Brogden [mailto:[EMAIL PROTECTED]]
Sent: 16 March 2001 20:18
To: [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Login System with access levels
At 02:00 PM 3/16/2001 -0600, you wrote:
>First, I would NOT store passwords in a database. Rather, I'd store a hash
>based upon the password and username. Storing a password is dangerous as
>regards security.
Just to be a little picky and *not* to start an argument (discussion yes),
this really depends on the application don't you think? If you are not
using a secure web server and you are not doing anything particularly
sensitive, I do not see a problem with plain text passwords. Hashing them
means you have to come up with alternative system for dealing with lost
passwords which is probably just as likely to be a problem as having plain
text passwords in the first place. If you are not using a secure server
you are still transmitting plain text values over the net so at best this
seems a false sense of security.
If this is an e-commerce setup then I agree, go for the "hash" but if it is
just a little community site or something, is the loss of usability (i.e.
easy password recovery) worth the hassle for users and admins? I have been
wrestling with this a lot lately and am still not convinced that for a
simple application this is justified. Can you suggest a reason why I should
rethink this?
>Finally, as far as a query:
> SELECT * FROM mytable WHERE access <= $level;
Now this is just nitpicking but the above query could lead someone to
create a security problem (since that is what we are concerned about
here). I think a better example would be something like:
$query=sprintf("SELECT table.cola,table.colb,table.colc FROM mytable WHERE
access <= %d",$level);
This way, nothing can be slipped into the query via "$level".
Cheers
----------------------------------------------------------------------------
-
Island Net AMT Solutions Group Inc. Telephone: 250
383-0096
1412 Quadra Toll Free: 1 800
331-3055
Victoria, B.C. Fax: 250
383-6698
V8W 2L1 E-Mail:
[EMAIL PROTECTED]
Canada WWW:
http://www.islandnet.com/
----------------------------------------------------------------------------
-
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]