I have observed some security holes in Links SQL v.1.11. I am seeking feedback from other Links SQL users. I know that the new version of Links SQL will contain more robust user features.
The problem I've observed is that when I have tested account creation, logging in, etc...I've noticed that users can add similar usernames, like Elee and elee. Now, I am using Jerry Su's nice modify Mod. When I login using either Elee or elee, I am able to see links I have added for both users. While the query function works relatively fine in terms of whole word searching, it does not seem to take into account case sensitivity.
I have fixed this problem by adding a field in the Users table called UserID, which is auto-incremented. In addition, I have made this field the primary key field and also made the Username field UNIQUE. I had to tweak the DBSQL.pm file a bit to get the sub get_records to identify the UNIQUE field rather than the PRIMARY field to login to the system.
I am a bit concerned about the table structures in terms of normalizing the tables and also ensuring referential integrity of the database.
What do you think? Any comments are welcome.
BTW: This is not to question Alex's logic since the script is wonderful, yet in terms of DB management, there are some issues, which I hope will be addressed in the next version.
Regards,
Eliot Lee
The problem I've observed is that when I have tested account creation, logging in, etc...I've noticed that users can add similar usernames, like Elee and elee. Now, I am using Jerry Su's nice modify Mod. When I login using either Elee or elee, I am able to see links I have added for both users. While the query function works relatively fine in terms of whole word searching, it does not seem to take into account case sensitivity.
I have fixed this problem by adding a field in the Users table called UserID, which is auto-incremented. In addition, I have made this field the primary key field and also made the Username field UNIQUE. I had to tweak the DBSQL.pm file a bit to get the sub get_records to identify the UNIQUE field rather than the PRIMARY field to login to the system.
I am a bit concerned about the table structures in terms of normalizing the tables and also ensuring referential integrity of the database.
What do you think? Any comments are welcome.
BTW: This is not to question Alex's logic since the script is wonderful, yet in terms of DB management, there are some issues, which I hope will be addressed in the next version.
Regards,
Eliot Lee