At 10:34 PM 07/13/2001 -0400, fliptop wrote: >Curtis Poe wrote: >> >> There are other reasons, too. Just today, I was asked to break >> a version of a Web site we were about to publically release. >> It took me 5 minutes to find a security hole and demonstrate >> that I could execute any arbitrary SQL against our database by >> passing it through the URL (it's easier than one might think >> for many sites). Fortunately, that stopped this code from >> moving out, but the programmer who wrote the code explained >> that hackers would first have to know the names of the tables >> they were affecting and thus, things were secure. > >that sounds more like an excuse than an explanation. Let there be one mantra that ALL programmers must repeat to themselves over and over again until they go insane: "Security through obscurity is NO security at all" Aloha, mel -- mel matsuoka Hawaiian Image Productions Chief Executive Alphageek (vox)1.808.531.5474 [EMAIL PROTECTED] (fax)1.808.526.4040 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]