[stamp] Re: Random user running "database_setup.php"
- From: Brandon Ripley <Brandon.Ripley@xxxxxxxxxx>
- To: "'stamp@xxxxxxxxxxxxx'" <stamp@xxxxxxxxxxxxx>
- Date: Thu, 23 Feb 2006 08:21:50 -0600
Only someone with admin level >= 2 will be able to do anything on the admin
page. The idea is that this person setup the database and knows how to go
into MySQL and look up the passwords anyway and could really bypass any of
our security. Any other users could try to run database_setup, but after it
has been run once, the script won't do anything. We will know it was run
once if the teamRobot table already has passwords.
Brandon
_____
From: Steven Buss [mailto:steven.buss@xxxxxxxxx]
Sent: Thursday, February 23, 2006 8:13 AM
To: stamp@xxxxxxxxxxxxx
Subject: [stamp] Re: Random user running "database_setup.php"
what's to stop anyone from looking up any team's password? how is that
going to be managed?
On 2/23/06, Brandon Ripley < <mailto:Brandon.Ripley@xxxxxxxxxx>
Brandon.Ripley@xxxxxxxxxx> wrote:
Once we add the function "lookup team password" to the admin page, we should
change database_setup.php so it can only be run once to display passwords
i.e. if passwords exists, don't reprint them.
-----Original Message-----
From: Jeremy Johnson [mailto: mias88@xxxxxxxxx <mailto:mias88@xxxxxxxxx> ]
Sent: Thursday, February 23, 2006 7:29 AM
To: stamp@xxxxxxxxxxxxx <mailto:stamp@xxxxxxxxxxxxx>
Subject: [stamp] Re: Random user running "database_setup.php"
yes, they will. For testing purposes I did not add a restriction on when
the team passwords, lthoguh that should not be so hard to implement. I will
work on that.
-Jeremy
On 2/23/06, Erik Thulin <ethulin@xxxxxxxxx <mailto:ethulin@xxxxxxxxx> >
wrote:
> What if a random user runs "database_setup.php", will they see the
> team passwords?
>
> - Erik
>
--
Steven Buss
steven.buss@xxxxxxxxx <mailto:steven.buss@xxxxxxxxx>
PHP/MySQL programmer
Other related posts:
