It depends how you have configured the Oracle Server. It has both the
options and can run in case insensitive or case sensitive. Ask the DBA in
your area as how they have configured the servers.
HTH.
Thanks
-----Original Message-----
From: suppressed [mailto:suppressed
Sent: Thursday, December 19, 2002 11:48 AM
To: suppressed
Cc: suppressed
Subject: Re: [cgiapp] checking passwords using SQL
Unless there is something set in my Oracle startup, I would like to differ
:)
1* select 'yes' from DUAL where 'A' = 'a'
cms sql> /
no rows selected
cms sql> c$'A'$'a'
1* select 'yes' from DUAL where 'a' = 'a'
cms sql> /
'YE
---
yes
1 row selected.
Brian
----
Brian T. Wightman
suppressed
414.524.4025
suppressed
e To:
suppressed
cc:
suppressed, suppressed
12/18/02 07:15 Subject: Re: [cgiapp]
checking passwords using SQL
PM
> A little bit of an optimization and security check - if all you are
> doing
> is comparing if the username and password match, why not let SQL do it?
>
> my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and
> USER_PASSWORD = ?";
> my $sth = $dbh->prepare($query);
> $sth->execute($user_ID, $pass_word);
> my ($valid_login) = $sth->fetchrow_array (); #This could also
> be
> changed....
Good call, but one caveat:
SQL is case-insensitive.
So the password and userid will be compare case-insensitively as well.
(I found out about this the hard way...)
You could fix this by declaring the columns or the comparison as binary
(at least in MySQL).
Thilo
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.