Thats interesting. I didnt realize that he meant it as a single string value. Actually what you mean is that the query would be "select * from username='x' or 1=1 --' and password='x'" Notice that the extra ' that gave me an error before is not behind the comment marker
Nice Catch Bob. Now what security measure do you suggest? -Tim -----Original Message----- From: David Nguyen [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 12:53 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Interesting. Actually what he wanted to point out is a possible loophole in the auhentication method discussed. I can imagine if this query is launched: "select * from username='anybody' or 1=1 -- and password='tiger'" then anybody can access the application (since the -- would make the password irrelevant. With Bob's parameter, the query would be "select * from username='anybody'' or 1=1' -- and password='tiger'" here the string anybody is 'anybody" or 1=1' (I didn't try though) david -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Joe Cheng Sent: Thursday, November 15, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Celeste, what's a "more secure" means? now you've got me curious. and Bob wasn't pointing out a loophole, just calling attention to the non-escaped values in the SQL statement below. -jmc =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
