Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
1.4k views
in Q2A Core by

In Stackoverflow I read that in mysql you should use utf8-bin over utf8_general_ci to prevent hacking. see here.

quote: "Depending on the implementation that uses the database tables, this problem could allow malicious users to create a username matching an administrator account."

I checked the qa_users table and saw that email and handle are both utf8_general_ci.

So my question is (without having looked into the source code): Is q2a dealing with that?

have a good week-end ;)

2 Answers

0 votes
by
selected by
 
Best answer

I don't think it's a concern. First, when a user registers or changes their handle, Q2A checks whether the handle already exists, using the exact method it uses when a user is logging in. Second, if by some bug two users do have a handle which matches under that collation, the log in will fail anyway (see qa-page-login.php).

by
good to know, thanks
0 votes
by
I don't think this is a problem, as Q2A uses the userid from the table and not the handle. Even if a user created a handle that mirrored an admin's handle, the password would not be correct for the genuine admin account.

Maybe somebody with more knowledge of the sign-on process can contibute.
...