*HCS* ContactDB: review, modify, add

Noam Zeilberger zeilberg at hcs.harvard.edu
Fri May 19 04:43:14 EDT 2000


On Thu, 18 May 2000, dmolnar wrote:

> login names? I find it a little confusing
> that all I'm asked for is my password -- is this a design decision?
There shouldn't be more than two users (administrator and normal) so we
didn't think there was a need for login names.  I added a selector to
choose between the two, so that may help (and get rid of the
userpass=superpass problem).

> I get "error in SQL syntax"
As Scott noticed, this was a problem with quotes being passed unescaped to
mysql.  I was disappointed that this could not be exploited to get root 
by creating a description like:

I am going to h4x0r hcs!!'); update admin_table set
super_passw=password('dominator

apparently the mysql_query function only allows you to pass a single
command.  Too bad.  That would've been useful.

> Ability to send to everyone on the list?
> 
> Eventually - not now - the ability for people to state times they 
> prefer to be contacted (e.g. "don't call after 9:00").
> 
> Eventually - not now - The ability to share contact lists with others,
> merge lists into a temporary account. 
hmm....


> Thanks, 
> -David
> 
> _______________________________________________
> hcs-discuss mailing list
> hcs-discuss at hcs.harvard.edu
> http://lists.hcs.harvard.edu/mailman/listinfo/hcs-discuss
> 




More information about the hcs-discuss mailing list