pete at lcsql.com
Sat Apr 11 18:19:41 CEST 2015
Yes, these things can be solved by various security measures, but the point
is that they aren't in a lot of company's IT setups, that's one of the
reasons their sites get hacked.
I don't think https helps with the "forgot my password" hack. It all
starts with a hacker filling in a bogus email address in the password
request form and appending a quote to the end of it. As long as that makes
it to the server, and if the server isn't programmed correctly to handle
invalid email addresses, the hacker is in business.
lcSQL Software <http://www.lcsql.com>
Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and
On Sat, Apr 11, 2015 at 8:41 AM, Dr. Hawkins <dochawk at gmail.com> wrote:
> On Sat, Apr 11, 2015 at 8:27 AM, Peter Haworth <pete at lcsql.com> wrote:
> > SQL injection attacks alter the SQL statements sent by a valid user so
> > attacker doesn't need to know a username/password.
> But they would need the encryption key, too.
> mySQL *can* be set to take only secure connections, can't it? Postgres
> can, but runrev inexplicably hasn't seen fit to add the line of code to
> allow this connection to be made; only for mySQL
> > Even more scary is how hackers can get into a system using a "I forgot my
> > password" form with SQL injection, lots of examples on the web.
> But https solves that, doesn't it?
> Dr. Richard E. Hawkins, Esq.
> (702) 508-8462
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
More information about the use-livecode