In the last episode (Dec 12), James McLaughlin said: > The new programmer for our company is not using the dataType > "password" or any encryption what so ever for our user accounts > (accounts that our customers use for getting into our system) in our > database. > > Instead he is using the VarChar dataType. > > Can someone explain to me how I can exploit this and show them it is > very dangerous.
It's only dangerous if a customer can trick your web frontend into displaying the output of "SELECT * FROM USERS", for example. If the frontend only uses hardcoded queries, or quotes every user-supplied parameter, there's no problem. In fact, you need the password in plaintext to support a "I forgot my password; email it to me" feature. -- Dan Nelson [EMAIL PROTECTED] --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php