Ansgar Burchardt wrote:
> Thomas Goirand <[email protected]> writes:
> 
>> Ansgar Burchardt wrote:
>>> DTC only allows the use of alphanumeric characters in passwords.  It
>>> also limits passwords to a maximum length of 16 characters.  These
>>> limitations do prevent the use of strong passwords that include special
>>> characters like "!$.,;:".
>> The control over the password function is made as follow:
>>
>> function isDTCPassword($pass){
>>         $reg = "^([a-zA-Z0-9]){4,16}\$";
>>         if(!ereg($reg,$pass))   return false;
>>         else                    return true;
>> }
>>
>> This should be a password that is MySQL safe, because no further testing
>> is made on it. Eg, no single quote or things like this that could
>> interfere with a MySQL query. If you mind providing a new regular
>> expression, I will commit the change.
> 
> There are two easy things to do: a) just save a (salted) hash of the
> password (for the same reasons that /etc/shadow only saves hashes of
> passwords), and b) use parameter binding for SQL statements so that one
> does not have to worry about escaping anything at all.  I believe even
> PHP supports this for several years now.

Thanks for the ideas but...

This is not what I've been asking for. If you want this to be done, then
please provide a new regular expression, otherwise, I'll set this as bug
entry as wishlist and forget about it...

Doing what you ask for b) is unrealistic considering the current code
base, and could potentially lead to very serious security issues. a) is
unrelated to my request.

Anyway, thanks again for your time filling this bug entry and replying
to me.

Thomas




-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to