On Thu, 2001-12-27 at 16:00, Stephan Borg wrote: > I have found the mod_auth_pgsql module to be the easiest way to > implement this function. Does anyone know if it takes the points > mentioned below into consideration? > > Stephan > > -----Original Message----- > From: Vince Vielhaber [mailto:vev@xxxxxxxxxxx] > Sent: Wednesday, 26 December 2001 2:25 PM > To: Andrew McMillan > Cc: Stephan Borg; pgsql-php@xxxxxxxxxxxxxx > Subject: Re: [PHP] WWW-Authentication and Postgresql > <snip> > A couple of quick gotchas. 1) make sure you filter out all unwanted > characters so someone can't execute sql calls inside of a username or > password. 2) On failure make sure you send a 401 to the browser just > like you do initially when asking for the password to clear out the old > one - you can also use this to handle logouts. These points don't really relate so much to authentication - they are much more related to when you construct SQL calls. Remember: the browser is an untrusted client. For example, if you trust someone to enter a value into a field which is a single character, and you then construct a query: "SELECT * FROM my_table WHERE my_field = '$unsafe_value';" If $unsafe_value is "X" then all is well and good, but if $unsafe_value is "X'; DROP TABLE my_table; SELECT 'hahaha" then someone has just hosed your database... I think that what Vince was getting at particularly, in replying to my post suggesting not to use database-level users, was that if you are not using database level users then there is a greater risk of this being a problem. I would tend to dispute that - I think this is a risk _anytime_. Paranoia rules. Think what can happen if (e.g.) someone were to save one of your web pages locally, edit the values in it (turn the combo boxes or hidden fields into input fields, or edit the cookies, for example) and submit crap at your system. Of _course_ it is a rare person who will do that, but if there is 1 in 10,000, and if you are vulnerable, it is really only a matter of time before someone starts playing. Cheers, Andrew. -- -------------------------------------------------------------------- Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St DDI: +64(4)916-7201 MOB: +64(21)635-694 OFFICE: +64(4)499-2267 Are you enrolled at http://schoolreunions.co.nz/ yet?
