Security question regarding mysql collation for qa_users: email and handle

Question

In Stackoverflow I read that in mysql you should use utf8-bin over utf8_general_ci to prevent hacking. see here.

quote: "Depending on the implementation that uses the database tables, this problem could allow malicious users to create a username matching an administrator account."

I checked the qa_users table and saw that email and handle are both utf8_general_ci.

So my question is (without having looked into the source code): Is q2a dealing with that?

have a good week-end ;)

Answer 1

I don't think it's a concern. First, when a user registers or changes their handle, Q2A checks whether the handle already exists, using the exact method it uses when a user is logging in. Second, if by some bug two users do have a handle which matches under that collation, the log in will fail anyway (see qa-page-login.php).

Comments

good to know, thanks

Answer 2

I don't think this is a problem, as Q2A uses the userid from the table and not the handle. Even if a user created a handle that mirrored an admin's handle, the password would not be correct for the genuine admin account.

Maybe somebody with more knowledge of the sign-on process can contibute.