09-20-2007, 12:23 PM
|
#12 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 2,280
Thanks: 90
|
I just constructed the following which I think would be pretty safe. It's a different way of doing the login and would throw would be hackers off the trail. If you're expecting a 32 bit string and nothing more then the substr is a good idea. The advantages of putting the if statement in the select area is that commenting the rest out would make the query fail, it also does it differently to how most people would do it so the hacker may be barking up the wrong tree. However, the disadvantage I see of putting it there is that you can modify the query more if your SQL is still insecure.
Don't get me wrong, I'm not at all adverse to the normal way of doing it as that's no doubt the best way due to the fact that you can't UNION a DELETE onto the end.
Code:
SELECT
@myPass:= SUBSTR(MD5('myPassword'), -32),
IF(password = @myPass, TRUE, FALSE) AS status
FROM
members
WHERE
username = 'myUsername'
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|