Ramon de la Fuente wrote:
> There are situations where you could not do this; for example where
> you write some code that uses another web-api that requires
> credentials. If you would allow users on YOUR website to enter their
> credentials for the third-party api in a back-end, then this would
> need to be saved plaintext.
This is exactly what I am doing :)
> Although it could be argued that trying to imply security by posting
> it through a "password" field in a form is dubious.
The only security I am implying is that the person standing behind you
can't read what you're entering into the password field. That's the only
reason I need the input field to be of type "password".
> If you're trying to pre-populate the password field because you're
> "losing" the password in the database [because the field in the form
> is posted empty]; try to write your code to that an empty 'password'
> post (call it remote web-api credential) does not overwrite the
> existing value.
Thanks, Ramon. This is a good suggestion.
订阅:
博文评论 (Atom)
没有评论:
发表评论