Re: Designing a forum - general design logic question
A minor insecurity:
INSERT ... SHA1('fantasticfour')
passes the password across the network in 'plaintext'. That is, a serious hacker could "sniff packets" and see the pwd. You could validly argue that this application does need to worry that much about security.
An alternative is to do the SHA1 in your code (PHP or whatever) and pass only the resulting hex string between PHP and the database:
$hex = sha1($_POST['pwd']);
INSERT INTO ... VALUES (... '$hex' ...)
and
$pwd = SELECT pwd FROM Users WHERE userid = '...';
if ($pwd == sha1($_POST['pwd']) { login is ok } else { ... }
Subject
Written By
Posted
Re: Designing a forum - general design logic question
May 27, 2012 09:26AM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.