In the last episode (Dec 12), James McLaughlin said:
> The new programmer for our company is not using the dataType
> "password" or any encryption what so ever for our user accounts
> (accounts that our customers use for getting into our system) in our
> database.
>
> Instead he is using the VarChar dataType.
>
> Can someone explain to me how I can exploit this and show them it is
> very dangerous.
It's only dangerous if a customer can trick your web frontend into
displaying the output of "SELECT * FROM USERS", for example. If the
frontend only uses hardcoded queries, or quotes every user-supplied
parameter, there's no problem. In fact, you need the password in
plaintext to support a "I forgot my password; email it to me" feature.
--
Dan Nelson
[EMAIL PROTECTED]
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
