From: | Vince Vielhaber <vev(at)michvhf(dot)com> |
---|---|
To: | Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz> |
Cc: | Stephan Borg <wolff_borg(at)yahoo(dot)com(dot)au>, <pgsql-php(at)postgresql(dot)org> |
Subject: | Re: WWW-Authentication and Postgresql |
Date: | 2001-12-27 15:51:03 |
Message-ID: | Pine.BSF.4.40.0112271045060.36020-100000@paprika.michvhf.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-php |
On 27 Dec 2001, Andrew McMillan wrote:
> > <snip>
> > A couple of quick gotchas. 1) make sure you filter out all unwanted
> > characters so someone can't execute sql calls inside of a username or
> > password. 2) On failure make sure you send a 401 to the browser just
> > like you do initially when asking for the password to clear out the old
> > one - you can also use this to handle logouts.
<snip>
> I think that what Vince was getting at particularly, in replying to my
> post suggesting not to use database-level users, was that if you are not
> using database level users then there is a greater risk of this being a
> problem. I would tend to dispute that - I think this is a risk
> _anytime_. Paranoia rules.
Nope, all I was saying was to filter out all input from the browser.
you don't want any apostrophes, or probably anything other than a-z,
A-Z, 0-9. and to use the 401 to clear out failures.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================
From | Date | Subject | |
---|---|---|---|
Next Message | John Patton (Rapid Internet Marketing Newsletter) | 2002-01-01 18:46:14 | HAPPY 2002, EURO AWAKE , NEW YEAR EIF OFFER + CHASE OFFER |
Previous Message | Andrew McMillan | 2001-12-27 08:54:11 | Re: WWW-Authentication and Postgresql |