[racket] About security for an input password

No, you cannot escape the

scouic wrote at 10/15/2010 07:36 AM:
> As you know in other languages, it exists failures with security of 
> passwords, for example type 1OR1 with escape ' " strings, etc.
[...]
> In my code, i define an admin password ( a string ), for example with 
> (define admin-pass "foo")
> Then, when i want to execute a protected action, like update posts, 
> create, delete, i have an input field named a-password, and i compare 
> the two passwords :
> (if (equal? a-password admin-pass) (execute-my-code!) (printf "you 
> cannot make this action without admin privilege"))
>
> This pseudo code is it securised, or is it easy to " escape " the 
> password verification and add new posts, delete, etc, without admin 
> privilege ?

That Racket example you gave is *not* vulnerable to escaping/quoting 
exploits.

Those exploits generally apply to very bad scripting languages or to 
``SQL injection'' (when the programmer does not properly sanitize 
untrusted input before using it in SQL statements).

If you want to make your code even more professional, store the password 
encrypted: store as an MD5 sum, and compare the MD5s.  That reduces the 
times when the password is stored or transmitted.

Better yet, prepend a seed string (such as the username plus a static 
string like the name of your program) to the password before doing the 
MD5.  This makes it harder for someone to compare passwords within the 
system, and to pre-generate mappings of MD5s to the corresponding 
passwords or ``rainbow tables''.

-- 
http://www.neilvandyke.org/