Yes, these things can be solved by various security measures, but the point is that they aren't in a lot of company's IT setups, that's one of the reasons their sites get hacked.
I don't think https helps with the "forgot my password" hack. It all starts with a hacker filling in a bogus email address in the password request form and appending a quote to the end of it. As long as that makes it to the server, and if the server isn't programmed correctly to handle invalid email addresses, the hacker is in business. Pete lcSQL Software <http://www.lcsql.com> Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html> On Sat, Apr 11, 2015 at 8:41 AM, Dr. Hawkins <[email protected]> wrote: > On Sat, Apr 11, 2015 at 8:27 AM, Peter Haworth <[email protected]> wrote: > > > SQL injection attacks alter the SQL statements sent by a valid user so > the > > attacker doesn't need to know a username/password. > > > > But they would need the encryption key, too. > > mySQL *can* be set to take only secure connections, can't it? Postgres > can, but runrev inexplicably hasn't seen fit to add the line of code to > allow this connection to be made; only for mySQL > > > > Even more scary is how hackers can get into a system using a "I forgot my > > password" form with SQL injection, lots of examples on the web. > > > > But https solves that, doesn't it? > > > -- > Dr. Richard E. Hawkins, Esq. > (702) 508-8462 > _______________________________________________ > use-livecode mailing list > [email protected] > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list [email protected] Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
