Re: spoofing question

From: Dave Anderson (GTSPXOESSGOQ_at_spammotel.com)
Date: 03/17/04 

Date: Wed, 17 Mar 2004 10:32:02 -0600

"Stephanie Stowe" wrote:
>
>> http://www.devx.com/dbzone/Article/10167
>
> I am not at liberty to do this as I do not have SQL Server. We use
> DB2 on the iSeries. More in a new post this am.

The GUID suggestion was merely one way of creating an "unguessable" session
id. You don't need SQL Server to create one:

    [JScript example]
    Server.CreateObject("Scriptlet.TypeLib").GUID.replace(/[{}]/g,"")
    (The object has a .GUID string property)

You certainly can implement your own, for that matter. For example, you
could randomly generate a string of digits and check your db for uniqueness.

How many digits would suffice? Suppose you use the GUID as an example of a
sufficient space. There are (2^8)^16 (or
3.4028236692093846346337460743177e+38) possible values. Using just the
characters [0-9], you would need 38.53 characters to cover the same range of
values. Using [A-Z], you would need 27.23 characters. Combining them,
[A-Z0-9] requires strings of length 24.76, [a-zA-Z] needs 22.45, [A-Za-z0-9]
needs 21.50 characters.

Obviously, there is no such thing as a string of length 38.53. But by
choosing 39 character strings of [0-9], you guarantee a space at least as
large as the GUID space. Does that seem like ling strings? Consider that it
takes 32 hex characters to express a 16-byte GUID value.

Some of the same pitfalls apply to self-generated session ids as to GUIDs,
BTW. Their length makes them make poor primary keys, for example.

For what it's worth, script-based random number generation is not exactly
random. 

-- 
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Relevant Pages

  • Re: String field length truncated to 255
    ... ado connecting to Microsoft sql server 2000. ... > trying to insert about 825 character string into the new record. ... > characters of data in Sql Query Analysis as I scroll the column to the ... Question is there a good tool to look at the sql server and see what is ...
    (borland.public.delphi.database.ado)
  • Re: Problem with large amount of characters in a VBA variant
    ... a SQL Server database via ODBC. ... The string is correctly stored in the Access ... variant VBA variable, but when looking at the variant with the ... I find that it has got only 255 characters (when the ...
    (comp.databases.ms-access)
  • Re: How to convert a GUID to CString and display it?
    ... Converts a globally unique identifier into a string of printable ... LPOLESTR lpsz, ... GUID to be converted. ... Number of characters available in the buffer indicated by lpsz. ...
    (microsoft.public.vc.mfc)
  • Re: How to convert a GUID to CString and display it?
    ... Converts a globally unique identifier into a string of printable ... LPOLESTR lpsz, ... GUID to be converted. ... Number of characters available in the buffer indicated by lpsz. ...
    (microsoft.public.vc.atl)
  • Re: How to create an "activation code" and store it in sql server 2005 database?
    ... Couldn't you have sql server take a sub set of characters of the guid it ... to the user with a link to go to and enter the activation code. ...
    (microsoft.public.dotnet.languages.vb)