Re: Is matchExp case insensitive or not?

From: Mike Kienenberger (mkienen..mail.com)
Date: Wed Aug 02 2006 - 09:46:53 EDT

  • Next message: Øyvind Harboe: "Re: Is matchExp case insensitive or not?"

    On 8/2/06, Øyvind Harboe <oyvind.harbo..ylin.com> wrote:
    > > Another possiblity is to use likeIgnoreCaseExp to pull in results, but
    > > then go in and manually filter out anything that's not an exact match
    > > in your code. That's probably the safest bet and the most portable.
    > > Of course, you then have to deal with the possiblity that someone's
    > > password is "%"
    >
    > After good nights sleep I arrived at the same conclusion. I pass the
    > umodified password to likeIgnoreCaseExp and then I do a String compare
    > against the password in the *first* record that matched.
    >
    > I don't care about the case where escape chars used in passwords would
    > cause likeIgnoreCaseExp to not include the record in the query result.
    >
    > The only thing I assume here is that it is safe to pass a string from
    > an attacker to likeIgnoreCaseExp().

    I don't see any security issues. The issue I see is that you may
    get back every single record if their password is the wild card
    symbol.

    Again, if it were me, and I was knowledgable about the specific
    database being used, I'd try to go through and first replace all
    "match everything" wildcard symbols with "match one" wildcard symbols
    to decrease the amount of returned results.

    Ie, for Oracle, if the password specified is "this%one", I would
    change the string to "this_one" before calling likeIgnoreCase.

    I don't understand your comment about comparing against only the first
    result. You'd have to compare until you found a match or until you
    were sure that nothing matched.

    Do you have only a password or also a username? A username/password
    combination match would be far better as you'd likely get far less
    matches.

    Not sure about the possiblity of an escape character making a match
    impossible, but it sounds like you don't care.



    This archive was generated by hypermail 2.0.0 : Wed Aug 02 2006 - 09:47:23 EDT