Re: [cgiapp] checking passwords using SQL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] checking passwords using SQL

Subject: Re: [cgiapp] checking passwords using SQL
Date: Thu, 19 Dec 2002 10:15:21 +0900
From: Thilo Planz <suppressed>

A little bit of an optimization and security check - if all you aredoing
is comparing if the username and password match, why not let SQL do it?

      my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and
USER_PASSWORD = ?";
      my $sth = $dbh->prepare($query);
      $sth->execute($user_ID, $pass_word);
my ($valid_login) = $sth->fetchrow_array (); #This could alsobe
changed....


Good call, but one caveat:

SQL is case-insensitive.
So the password and userid will be compare case-insensitively as well.
(I found out about this the hard way...)

You could fix this by declaring the columns or the comparison as binary(at least in MySQL).


Thilo


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] checking passwords using SQL
  - From: Mark Stosberg

References:
- RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
  - From: Brian . T . Wightman

Prev by Date: Re: [cgiapp] Forcing a login...
Next by Date: Re: [cgiapp] checking passwords using SQL
Previous by thread: RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
Next by thread: Re: [cgiapp] checking passwords using SQL
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.