Wednesday, 26 May 2010
Response to Solar Designers MoPS submission
Great write-up about catcha's when implementing user authentication/management for PHP/web applications, especially because he explains why things should be done a certain way. The only aspect I am missing is why it is important to construct (especially) the credential verification logic as a combination of application logic and database query instead of just combining everything into a SQL query. I have seen constructs like
SELECT uid FROM users WHERE username='foo' AND password='bar'(or any derivative that includes the hashed and/orstretched password value). The application logic would than only use the returned record for obtaining the uid of the (assumed to be correctly authenticated user). The core problem is that this approach combines both user record loading and user authentication into one operation (and also off-loads this task to the database). By separating the credential verification into two parts, one handled by the SQL layer and the other handled by the application logic, it becomes harder for an attacker to mount an attack on the authentication logic by exploiting a vulnerability in the SQL layer (assuming that whatever target the attacker is after can not be accomplished by exploiting such an SQL layer vulnerability itself).
Posted by on 26 May 2010 at 20:57
[Trackback URL for this entry]
