List:General Discussion« Previous MessageNext Message »
From:Dan Nelson Date:December 12 2001 11:06pm
Subject:Re: No Database Encryption
View as plain text  
In the last episode (Dec 12), James McLaughlin said:
> The new programmer for our company is not using the dataType
> "password" or any encryption what so ever for our user accounts
> (accounts that our customers use for getting into our system) in our
> database.
> Instead he is using the VarChar dataType.
> Can someone explain to me how I can exploit this and show them it is
> very dangerous. á

It's only dangerous if a customer can trick your web frontend into
displaying the output of "SELECT * FROM USERS", for example.  If the
frontend only uses hardcoded queries, or quotes every user-supplied
parameter, there's no problem.  In fact, you need the password in
plaintext to support a "I forgot my password; email it to me" feature.

	Dan Nelson
No Database EncryptionJames McLaughlin12 Dec
  • Re: No Database Encryptiontc lewis12 Dec
  • Re: No Database EncryptionDan Nelson13 Dec
  • Password encryptionST Ooi13 Dec
    • Re: Password encryptiontc lewis13 Dec
    • Re: Password encryptionsherzodR13 Dec
      • Re: Password encryptionWilliam R. Mussatto13 Dec
Re: No Database EncryptionDoug Thompson13 Dec
RE: No Database EncryptionDuncan Maitland13 Dec