[racket] About security for an input password
No, you cannot escape the
scouic wrote at 10/15/2010 07:36 AM:
> As you know in other languages, it exists failures with security of
> passwords, for example type 1OR1 with escape ' " strings, etc.
[...]
> In my code, i define an admin password ( a string ), for example with
> (define admin-pass "foo")
> Then, when i want to execute a protected action, like update posts,
> create, delete, i have an input field named a-password, and i compare
> the two passwords :
> (if (equal? a-password admin-pass) (execute-my-code!) (printf "you
> cannot make this action without admin privilege"))
>
> This pseudo code is it securised, or is it easy to " escape " the
> password verification and add new posts, delete, etc, without admin
> privilege ?
That Racket example you gave is *not* vulnerable to escaping/quoting
exploits.
Those exploits generally apply to very bad scripting languages or to
``SQL injection'' (when the programmer does not properly sanitize
untrusted input before using it in SQL statements).
If you want to make your code even more professional, store the password
encrypted: store as an MD5 sum, and compare the MD5s. That reduces the
times when the password is stored or transmitted.
Better yet, prepend a seed string (such as the username plus a static
string like the name of your program) to the password before doing the
MD5. This makes it harder for someone to compare passwords within the
system, and to pre-generate mappings of MD5s to the corresponding
passwords or ``rainbow tables''.
--
http://www.neilvandyke.org/