I diagree on point 1. If you warn your members that their password is insecure, and if you e-mail out passwords anyway, there's no reason not to have a secure password. Many people I know use an insecure password for many things, from silly required free registration sites (go ahead, break into my Washington Post account) to other services not important to them.
But do I really care if someone ganks my wikipedia password? If you're a bank, sure, encrypt. Or if you have important data. But it's not a hard and fast rule. In fact, I'd venture to say "don't use hard and fast rules." THINK about your situation, and if it makes sense. Does using SSL make sense? Does using encryption make sense? -Sheeri On 5/10/06, Johan Lundqvist <[EMAIL PROTECTED]> wrote:
Hi Dave, 1st: Never, never, never store passwords in plain text!! Just don't do it. Store a hash of the password (ie md5 or something else). 2nd: Never pass any input from the Internet directly into a query without first checking it for sql injection. Take a look at Wikipedia article for a brief explanation and several links to further info. http://en.wikipedia.org/wiki/SQL_injection /Johan Critters wrote: > Hi > A user was able to log into my site using: > 1' and '1' or '1 > in the username and password box. > > I ran the query > > SELECT * FROM members WHERE name = '1' and '1' or '1' AND password = '1' and '1' or '1' > > And it returned all rows. Can someone explain to me why this happens, and if the steps I took (replacing the ' with a blank space when the user submits the login form) is enough to prevent a similar "hack" > > Appreciate any feedback. > -- > Dave -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
