Re: Validating username password from web page

On 30 Oct 1999 11:33:25 GMT, "Mike Jones" <Mike_at_mikejones.fsnet.co.uk> wrote:

>I'm currently woking on a project to connect an Oracle 7.3.4 DB to an
>Intranet.
>
>The intranet sever connects in via an ODBC DSN and so has a username and
>password specified for it. However any one accessing the page should have a
>normal Oracle log in to the DB and I need to validate this so that the web
>page can decide what Info to give the user.
>
>Due to the newness of all this (I've never done web based stuff before) we
>are trying to limit the web page to only issuing SELECT statements.
>
>As such I was going to create a stored function that took in a
>username/password and returned either the access level they have or false
>depending on wether that was allowed. This seems sensible to me.
>
>However, although I can get the encryted password from DBA_USERS I don't
>know how I can encrypt the password given to check against the one in
>DBA_USERS. I though I might be able to create a new user with the same
>password given and then check it that way, but oracle seems to use the
>username in the encryption algorithm and so I'm stuffed there too.
>
>Can anyone help me?
>
>mijones_at_hof.co.uk
>
>

Evidently one option is to modify/set the DSN properly, with the username and password specified by the operator . Connecting through a DSN is a normal connect request, so gets validated through the dictionary. I don't know what you really want to do more than this, unless you are setting up extra authentication processes.

I once saw someone checking the password by issuing an ALTER user statement changing the password in itself. He would first select the encrypted string, then change the password, then select the encrypted string and compare. Personally this looks to me a very bad idea, because if your password is wrong the second time (ie after a successful connect) you will loose access to the database.

Hth,

Sybrand Bakker, Oracle DBA Received on Sat Oct 30 1999 - 08:01:26 CDT