Re: WWW-Authentication and Postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 27 Dec 2001, Andrew McMillan wrote:

> > <snip>
> > A couple of quick gotchas.  1) make sure you filter out all unwanted
> > characters so someone can't execute sql calls inside of a username or
> > password.  2) On failure make sure you send a 401 to the browser just
> > like you do initially when asking for the password to clear out the old
> > one - you can also use this to handle logouts.

<snip>

> I think that what Vince was getting at particularly, in replying to my
> post suggesting not to use database-level users, was that if you are not
> using database level users then there is a greater risk of this being a
> problem.  I would tend to dispute that - I think this is a risk
> _anytime_.  Paranoia rules.

Nope, all I was saying was to filter out all input from the browser.
you don't want any apostrophes, or probably anything other than a-z,
A-Z, 0-9.  and to use the 401 to clear out failures.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@xxxxxxxxxxx    http://www.pop4.net
         56K Nationwide Dialup from $16.00/mo at Pop4 Networking
        Online Campground Directory    http://www.camping-usa.com
       Online Giftshop Superstore    http://www.cloudninegifts.com
==========================================================================





[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux