Unless there is something set in my Oracle startup, I would like to differ
:)
1* select 'yes' from DUAL where 'A' = 'a'
cms sql> /
no rows selected
cms sql> c$'A'$'a'
1* select 'yes' from DUAL where 'a' = 'a'
cms sql> /
'YE
---
yes
1 row selected.
Brian
----
Brian T. Wightman
suppressed
414.524.4025
suppressed
e To: suppressed
cc: suppressed, suppressed
12/18/02 07:15 Subject: Re: [cgiapp] checking passwords using SQL
PM
> A little bit of an optimization and security check - if all you are
> doing
> is comparing if the username and password match, why not let SQL do it?
>
> my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and
> USER_PASSWORD = ?";
> my $sth = $dbh->prepare($query);
> $sth->execute($user_ID, $pass_word);
> my ($valid_login) = $sth->fetchrow_array (); #This could also
> be
> changed....
Good call, but one caveat:
SQL is case-insensitive.
So the password and userid will be compare case-insensitively as well.
(I found out about this the hard way...)
You could fix this by declaring the columns or the comparison as binary
(at least in MySQL).
Thilo
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.