Re: WWW-Authentication and Postgresql
| От | Vince Vielhaber |
|---|---|
| Тема | Re: WWW-Authentication and Postgresql |
| Дата | |
| Msg-id | Pine.BSF.4.40.0112271045060.36020-100000@paprika.michvhf.com обсуждение исходный текст |
| Ответ на | Re: WWW-Authentication and Postgresql (Andrew McMillan <andrew@catalyst.net.nz>) |
| Ответы |
Re: WWW-Authentication and Postgresql [sample_code_inline]
|
| Список | pgsql-php |
On 27 Dec 2001, Andrew McMillan wrote: > > <snip> > > A couple of quick gotchas. 1) make sure you filter out all unwanted > > characters so someone can't execute sql calls inside of a username or > > password. 2) On failure make sure you send a 401 to the browser just > > like you do initially when asking for the password to clear out the old > > one - you can also use this to handle logouts. <snip> > I think that what Vince was getting at particularly, in replying to my > post suggesting not to use database-level users, was that if you are not > using database level users then there is a greater risk of this being a > problem. I would tend to dispute that - I think this is a risk > _anytime_. Paranoia rules. Nope, all I was saying was to filter out all input from the browser. you don't want any apostrophes, or probably anything other than a-z, A-Z, 0-9. and to use the 401 to clear out failures. Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 56K Nationwide Dialup from $16.00/mo at Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ==========================================================================
В списке pgsql-php по дате отправления: