Re: WWW-Authentication and Postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 2001-12-27 at 16:00, Stephan Borg wrote:
> I have found the mod_auth_pgsql module to be the easiest way to
> implement this function. Does anyone know if it takes the points
> mentioned below into consideration? 
> 
> Stephan
> 
> -----Original Message-----
> From: Vince Vielhaber [mailto:vev@xxxxxxxxxxx] 
> Sent: Wednesday, 26 December 2001 2:25 PM
> To: Andrew McMillan
> Cc: Stephan Borg; pgsql-php@xxxxxxxxxxxxxx
> Subject: Re: [PHP] WWW-Authentication and Postgresql
> <snip>
> A couple of quick gotchas.  1) make sure you filter out all unwanted
> characters so someone can't execute sql calls inside of a username or
> password.  2) On failure make sure you send a 401 to the browser just
> like you do initially when asking for the password to clear out the old
> one - you can also use this to handle logouts.

These points don't really relate so much to authentication - they are
much more related to when you construct SQL calls.  Remember: the
browser is an untrusted client.

For example, if you trust someone to enter a value into a field which is
a single character, and you then construct a query:

"SELECT * FROM my_table WHERE my_field = '$unsafe_value';"

If $unsafe_value is "X" then all is well and good, but if $unsafe_value
is "X'; DROP TABLE my_table; SELECT 'hahaha"  then someone has just
hosed your database...

I think that what Vince was getting at particularly, in replying to my
post suggesting not to use database-level users, was that if you are not
using database level users then there is a greater risk of this being a
problem.  I would tend to dispute that - I think this is a risk
_anytime_.  Paranoia rules.

Think what can happen if (e.g.) someone were to save one of your web
pages locally, edit the values in it (turn the combo boxes or hidden
fields into input fields, or edit the cookies, for example) and submit
crap at your system.  Of _course_ it is a rare person who will do that,
but if there is 1 in 10,000, and if you are vulnerable, it is really
only a matter of time before someone starts playing.

Cheers,
					Andrew.
-- 
--------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/        PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201    MOB: +64(21)635-694    OFFICE: +64(4)499-2267
       Are you enrolled at http://schoolreunions.co.nz/ yet?



[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux