Bob Vú wrote: > Hi all, > > Wow, look what I started. Sorry, I could not reply during the day (at > client site). Chris, David and Hans and others were right. If you are > using the simple login authentication that was discussed here earlier, you > will have to be careful. For example, the SQL discussed was: > > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='"+username+ > "' AND UserPassword = '"+password+"'"; > > When the hacker enter the following on your login page: > > UserName: x' or 1=1-- > Password: x > > The SQL would be > > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='x' or 1=1--' AND UserPassword = 'x'"; > > which would really be: > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='x' or 1=1 > > because anything after -- are comments > > Well, if the code discussed in the original email: > if( myResultSet.next() ) { > // we have a valid user! > } > > is used to check for valid user, then bingo, you're in because your SQL > will > return all rows in the table. > > One way to resolve this is to use the JDBC PreparedStatement as > discussed by > Chris below or use JS to strip invalid characters before sending to the > server. Of course, this is the easiest to do and will prevent the majority > of the amateur hackers. > > Just a bit of warning to the JSP coders out there. Be careful and alert > about possible loopholes in your security codes.
Be careful is correct, but that includes not relying on "JS to strip invalid characters before sending to the server" ;-) It's easy to disable JavaScript in a browser, and some doesn't support it to begin with. Therefore you must always validate the data on the server, even if you use JS in the client to provide a more interactive interface for those that have JS activated. I suggest you look into using PreparedStatements. It's not rocket science and it solves the problem nicely. Even better, use a custom tag library that removes all the scripting code for stuff like this from the JSP pages. Two free examples I know of: * The tag library described in my JSP book: <http://TheJSPBook.com/> * The dbtags library at Jakarta Taglibs: <http://jakarta.apache.org/taglibs/> My company also sells a commercial tag library with this functionality, and a lot more: * InstantOnline Basic <http://www.gefionsoftware.com/InstantOnline/Basic/> Hans -- Hans Bergsten [EMAIL PROTECTED] Gefion Software http://www.gefionsoftware.com Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com