I diagree on point 1. If you warn your members that their password is
insecure, and if you e-mail out passwords anyway, there's no reason
not to have a secure password. Many people I know use an insecure
password for many things, from silly required free registration sites
(go ahead, break into my Washington Post account) to other services
not important to them.
But do I really care if someone ganks my wikipedia password?
If you're a bank, sure, encrypt. Or if you have important data. But
it's not a hard and fast rule.
In fact, I'd venture to say "don't use hard and fast rules." THINK
about your situation, and if it makes sense. Does using SSL make
sense? Does using encryption make sense?
On 5/10/06, Johan Lundqvist <johan@stripped> wrote:
> Hi Dave,
> 1st: Never, never, never store passwords in plain text!! Just don't do
> it. Store a hash of the password (ie md5 or something else).
> 2nd: Never pass any input from the Internet directly into a query
> without first checking it for sql injection.
> Take a look at Wikipedia article for a brief explanation and several
> links to further info.
> Critters wrote:
> > Hi
> > A user was able to log into my site using:
> > 1' and '1' or '1
> > in the username and password box.
> > I ran the query
> > SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1'
> or '1'
> > And it returned all rows. Can someone explain to me why this happens, and if the
> steps I took (replacing the ' with a blank space when the user submits the login form) is
> enough to prevent a similar "hack"
> > Appreciate any feedback.
> > --
> > Dave
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=1