Benjamin Pflugmann wrote:
> On Sun, Jul 04, 1999 at 07:48:39PM +0200, m.ramsch@stripped wrote:
> > Hello,
> > I have a DB user "userlookup" which only has the SELECT priviledge on
> > the columns mysql.user.user and mysql.user.password.
> > My question is:
> > Is it possible to restrict access to _only_ the field "User"
> > while using other fields in the WHERE clause?
> > Example:
> > SELECT User From user WHERE User='abc' AND Password=PASSWORD('xyz')
> > The contents of the password field never should be output, but used
> > internally for the right selection.
> > My rationale is that I'd like to have a kind of an "access right" to
> > the password field while denying read access of the whole column.
> Hm. Correct me, if I am wrong, but you would just make it a little bit
> harder to find out the value of password, but it is still relatively
> easy. With this kind of access restriction you can figure out the
> value of a password field by doing some selects. Or did I miss your
> point and the purpose of your suggestion is security by obscurity?
> I know, it could be done better, but it can be done with about 100
> selects: You can figure out each character position in a maximum of
> int(ln(26+10)/ln(2))+1 tries. The value of the password columns has a
> length of 16 characters and seems to only use 0-9a-z (=10+26), which
> would make 96 tries (the calculation is not exact, so don't bother).
> This could be done by doing something like
> SELECT User From user WHERE User='abc' AND Password >= 'n';
> if you get no records back, use
> SELECT User From user WHERE User='abc' AND Password >= 'h';
> SELECT User From user WHERE User='abc' AND Password >= 't';
> and so on (you got the idea...)
> This can be further improved to need less queries (you can run it
> partially parallel for several users, improve the algorithm and so
You are a true hacker! The difference between a true hacker and a
wannabe is that while the wannabe will be satisfied with just
discovering the exploit, the true hacker will want to optimize it :-)