|
|
Posted by Bill Karwin on 08/22/06 22:52
Ignoramus20689 wrote:
>> I'd also be worried because it looks like they are storing passwords in
>> clear text. They should store a hash of the password and compare the
>> hash of what the user enters to what's stored in the database.
>
> Also true. Possibly useful for "I lost my password" situations though,
> though there are better ways to handle that.
Right; the better way is to reset the password to something new and
random if a user forgets it. That way one doesn't need to keep it
stored in clear text.
> I hope that my post is not wrongly misinterpreted as an attack on php,
> as same mistakes are done with perl as well.
Yes, and any other language too! That includes Java, and Ruby, so
zealots of those languages need not respond claiming that their language
solves everything! ;-)
> (though use of
> pre-prepared statements could help in the case of perl, but dumb
> programmers would not be likely to use that feature).
PHP4's mysql interface does not support prepared statements. PHP5
supports prepared statements through the new mysqli interface. So it's
not necessarily that the programmers are dumb. They may be constrained
to use PHP4. Many hosting providers do not support a PHP5 environment.
For the benefit of readers who aren't familiar with prepared statements
-- these allow you to send values to the SQL query via parameters,
instead of interpolating them into the SQL statement string. Using
statement parameters in this way reduces vulnerability to SQL injection.
And to Chung Leong: right, PHP5's mysqli supports executing multiple
statements, while the older mysqli interface does not.
Anyway, whether to email the people who run the site... tough call. It
could fall into the category of "who asked you?" but on the other hand,
spreading awareness of web security is a good thing. You could tell
them they've lost a potential customer -- you aren't going to use their
service because it's obviously not trustworthy!
Regards,
Bill K.
Navigation:
[Reply to this message]
|