RE: [PHP-DB] Login System with access levels

Fri, 16 Mar 2001 11:59:46 -0800 

At 02:00 PM 3/16/2001 -0600, you wrote:
>First, I would NOT store passwords in a database.  Rather, I'd store a hash
>based upon the password and username.  Storing a password is dangerous as
>regards security.

Just to be a little picky and *not* to start an argument (discussion yes), 
this really depends on the application don't you think?   If you are not 
using a secure web server and you are not doing anything particularly 
sensitive, I do not see a problem with plain text passwords.  Hashing them 
means you have to come up with alternative system for dealing with lost 
passwords which is probably just as likely to be a problem as having plain 
text passwords in the first place.  If you are not using a secure server 
you are still transmitting plain text values over the net so at best this 
seems a false sense of security.

If this is an e-commerce setup then I agree, go for the "hash" but if it is 
just a little community site or something, is the loss of usability (i.e. 
easy password recovery) worth the hassle for users and admins?  I have been 
wrestling with this a lot lately and am still not convinced that for a 
simple application this is justified. Can you suggest a reason why I should 
rethink this?

>Finally, as far as a query:
>   SELECT * FROM mytable WHERE access <= $level;

Now this is just nitpicking but the above query could lead someone to 
create a security problem (since that is what we are concerned about 
here).  I think a better example would be something like:

$query=sprintf("SELECT table.cola,table.colb,table.colc FROM mytable WHERE 
access <= %d",$level);

This way, nothing can be slipped into the query via "$level".

Cheers

-----------------------------------------------------------------------------
Island Net AMT Solutions Group Inc.          Telephone:          250 383-0096
1412 Quadra                                  Toll Free:        1 800 331-3055
Victoria, B.C.                               Fax:                250 383-6698
V8W 2L1                                      E-Mail:    [EMAIL PROTECTED]
Canada                                       WWW:   http://www.islandnet.com/
-----------------------------------------------------------------------------


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to