Gossamer Forum
Home : Products : Gossamer Links : Pre Sales :

Security, Normalization, Referential Integrity

Quote Reply
Security, Normalization, Referential Integrity
I have observed some security holes in Links SQL v.1.11. I am seeking feedback from other Links SQL users. I know that the new version of Links SQL will contain more robust user features.

The problem I've observed is that when I have tested account creation, logging in, etc...I've noticed that users can add similar usernames, like Elee and elee. Now, I am using Jerry Su's nice modify Mod. When I login using either Elee or elee, I am able to see links I have added for both users. While the query function works relatively fine in terms of whole word searching, it does not seem to take into account case sensitivity.

I have fixed this problem by adding a field in the Users table called UserID, which is auto-incremented. In addition, I have made this field the primary key field and also made the Username field UNIQUE. I had to tweak the DBSQL.pm file a bit to get the sub get_records to identify the UNIQUE field rather than the PRIMARY field to login to the system.

I am a bit concerned about the table structures in terms of normalizing the tables and also ensuring referential integrity of the database.

What do you think? Any comments are welcome.

BTW: This is not to question Alex's logic since the script is wonderful, yet in terms of DB management, there are some issues, which I hope will be addressed in the next version.

Regards,

Eliot Lee

Quote Reply
Re: Security, Normalization, Referential Integrity In reply to
The simplest fix was just make the names case-insensitive.

Don't allow users to insert the name MaDog if magdog already exists.

Better to put the locks up front, than try to trap the intruder after entry.

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: Security, Normalization, Referential Integrity In reply to
Thanks for the comments, pugdog. Yet from a user standpoint that may not be the most effective fix. That is why I added UserID as the primary key that is auto-incremented. I did try your suggestion a week ago, by using case sensitive codes for the username when it is added, although there were some incidents of bypassing the checks and some usernames created were case sensitive.

Regards,

Eliot Lee