Postgres Pro
Downloads
Home   >   mailing lists

Re: WWW-Authentication and Postgresql - Mailing list pgsql-php

From Andrew McMillan
Subject Re: WWW-Authentication and Postgresql
Date
Msg-id 1009443251.14763.6.camel@kant.mcmillan.net.nz
Whole thread Raw
In response to Re: WWW-Authentication and Postgresql  ("Stephan Borg" <wolff_borg@yahoo.com.au>)
Responses Re: WWW-Authentication and Postgresql  (Vince Vielhaber <vev@michvhf.com>)
List pgsql-php
Tree view 
On Thu, 2001-12-27 at 16:00, Stephan Borg wrote:
> I have found the mod_auth_pgsql module to be the easiest way to
> implement this function. Does anyone know if it takes the points
> mentioned below into consideration?
>
> Stephan
>
> -----Original Message-----
> From: Vince Vielhaber [mailto:vev@michvhf.com]
> Sent: Wednesday, 26 December 2001 2:25 PM
> To: Andrew McMillan
> Cc: Stephan Borg; pgsql-php@postgresql.org
> Subject: Re: [PHP] WWW-Authentication and Postgresql
> <snip>
> A couple of quick gotchas.  1) make sure you filter out all unwanted
> characters so someone can't execute sql calls inside of a username or
> password.  2) On failure make sure you send a 401 to the browser just
> like you do initially when asking for the password to clear out the old
> one - you can also use this to handle logouts.

These points don't really relate so much to authentication - they are
much more related to when you construct SQL calls.  Remember: the
browser is an untrusted client.

For example, if you trust someone to enter a value into a field which is
a single character, and you then construct a query:

"SELECT * FROM my_table WHERE my_field = '$unsafe_value';"

If $unsafe_value is "X" then all is well and good, but if $unsafe_value
is "X'; DROP TABLE my_table; SELECT 'hahaha"  then someone has just
hosed your database...

I think that what Vince was getting at particularly, in replying to my
post suggesting not to use database-level users, was that if you are not
using database level users then there is a greater risk of this being a
problem.  I would tend to dispute that - I think this is a risk
_anytime_.  Paranoia rules.

Think what can happen if (e.g.) someone were to save one of your web
pages locally, edit the values in it (turn the combo boxes or hidden
fields into input fields, or edit the cookies, for example) and submit
crap at your system.  Of _course_ it is a rare person who will do that,
but if there is 1 in 10,000, and if you are vulnerable, it is really
only a matter of time before someone starts playing.

Cheers,
                    Andrew.
--
--------------------------------------------------------------------
Andrew @ Catalyst .Net.NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/        PHYS: Level 2, 150-154 Willis St
DDI: +64(4)916-7201    MOB: +64(21)635-694    OFFICE: +64(4)499-2267
       Are you enrolled at http://schoolreunions.co.nz/ yet?

pgsql-php by date:

Previous
From: "Stephan Borg"
Date:
Subject: Re: WWW-Authentication and Postgresql
Next
From: Vince Vielhaber
Date:
Subject: Re: WWW-Authentication and Postgresql