Re: Is matchExp case insensitive or not?

From: Øyvind Harboe (oyvind.harbo..ylin.com)
Date: Wed Aug 02 2006 - 03:17:15 EDT

Next message: Nikolai Raitsev: "Re: Problem with DB2 UDB"

Previous message: Tore Halset: "Re: Is matchExp case insensitive or not?"
In reply to: Tore Halset: "Re: Is matchExp case insensitive or not?"
Next in thread: Mike Kienenberger: "Re: Is matchExp case insensitive or not?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/2/06, Tore Halset <halse..vv.ntnu.no> wrote:
> On Aug 2, 2006, at 8:09, Øyvind Harboe wrote:
>
> > The only thing I assume here is that it is safe to pass a string from
> > an attacker to likeIgnoreCaseExp().
>
> It should be safe as cayenne uses prepared statement, but some jdbc-
> drivers have had security holes even for prepared statement. Typicaly
> drivers that expand the prepared statement on the client side and
> pass it on as a non-prepared statement.
>
> Storing clear text password in the database is almost never a good
> solution. I mostly store a sha-1 of the password.

This is used code that needs to be bug by bug compatible. Fun isn't it? :-)

-- 
Øyvind Harboe
http://www.zylin.com

Next message: Nikolai Raitsev: "Re: Problem with DB2 UDB"
Previous message: Tore Halset: "Re: Is matchExp case insensitive or not?"
In reply to: Tore Halset: "Re: Is matchExp case insensitive or not?"
Next in thread: Mike Kienenberger: "Re: Is matchExp case insensitive or not?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2.0.0 : Wed Aug 02 2006 - 03:17:43 EDT