[thesite] UEUE v.0.2 Update

.jeff jeff at members.evolt.org
Mon Nov 5 21:07:23 CST 2001


matt,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Warden, Matt
>
> > As it is, anyone given access can run a query and
> > grab any password from the db anyway, right?
>
> Yup. THat's the problem we're trying to solve here.
> Adding a password to the queries just ain't the
> solution.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

user tries to query the live datasource from a m.e.o. account or from t.e.o.
and gets an error.  user doesn't know the username/password combination for
querying.  tell me how that isn't a solution.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> > It's one extra level of security
>
> If by "level" you mean that one must go through one
> extra step to gain access to our database, then yes.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

if the file with the username and password are on w.e.o., i fail to see how
there are *any* steps, short of hacking the box, necessary to access the
database.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> The benefit of UEUE here is that we could single out
> only the server with UEUE on it and ONLY allow that
> server to access the database with member info.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

but ueue isn't the only site that needs access to the user/member info.
w.e.o. needs it as well.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> Then, problem solved. And it can't be circumvented by
> looking at our source code.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

no, but it can be circumvented by looking at the source code for ueue.  ;p

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/






More information about the thesite mailing list