I actually do a two stage authorization. I do use a Select * from users where username=form.username
but then I take the password received in the query and compare to to the form.password. I do this because of password encryption, but it makes it harder for someone to use inappropriate terms in the username box and still get somewhere because the password keyed must match the one recovered. If they put in 1=1 or anyone or any other value, there will be no password recovered that the second stage can use. Margaret -----Original Message----- From: Glenn Wearen [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 8:02 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Similarly when the hacker knows a user ID (eg root) supplying a password like (SELECT password from person where id=root) and variants of this may work. Take a look @ http://softwaredev.earthweb.com/java/article/0,,12082_883381,00.html for security tips. Glenn > -----Original Message----- > From: Bob Vú [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 16, 2001 6:46 AM > To: [EMAIL PROTECTED] > Subject: Re: Login Authentication against database... > > > Hi all, > > Wow, look what I started. Sorry, I could not reply during the day (at > client site). Chris, David and Hans and others were right. > If you are > using the simple login authentication that was discussed here > earlier, you > will have to be careful. For example, the SQL discussed was: > > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='"+username+ > "' AND UserPassword = '"+password+"'"; > > When the hacker enter the following on your login page: > > UserName: x' or 1=1-- > Password: x > > The SQL would be > > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='x' or 1=1--' AND UserPassword = 'x'"; > > which would really be: > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='x' or 1=1 > > because anything after -- are comments > > Well, if the code discussed in the original email: > if( myResultSet.next() ) { > // we have a valid user! > } > > is used to check for valid user, then bingo, you're in > because your SQL will > return all rows in the table. > > One way to resolve this is to use the JDBC PreparedStatement > as discussed by > Chris below or use JS to strip invalid characters before > sending to the > server. Of course, this is the easiest to do and will > prevent the majority > of the amateur hackers. > > Just a bit of warning to the JSP coders out there. Be > careful and alert > about possible loopholes in your security codes. > > Chao. > > > > > > >From: Chris Tucker <[EMAIL PROTECTED]> > >Reply-To: A mailing list about Java Server Pages specification and > >reference <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Login Authentication against database... > >Date: Thu, 15 Nov 2001 09:34:09 -0800 > > > >Bob, > > > >I would hope that people are escaping any SQL characters in > the username > >parameter in the example below...anything else would be > plain bad practice. > >If you want JDBC to handle that stuff for you, you can do it > robustly with: > > > >String psql = "SELECT * FROM SAMM.UsersLogin WHERE > LOWER(UserLoginId) = > >LOWER(?) AND UserPassword = ?"; > >PreparedStatement psth = conn.prepareStatement(psql); > >psth.setString(1, username); > >psth.setString(2, password); > >ResultSet rs = psth.executeQuery(); > > > >Chris > > > >-----Original Message----- > >From: A mailing list about Java Server Pages specification > and reference > >[mailto:[EMAIL PROTECTED]]On Behalf Of Bob Vú > >Sent: Thursday, November 15, 2001 7:43 AM > >To: [EMAIL PROTECTED] > >Subject: Re: Login Authentication against database... > > > > > >For those of you who use this method of login authentication, use the > >following username/password in your login page when you're > done coding and > >see what happens: > > > >UserName: x' or 1=1-- > >Password: x > > > > > > > > > > >From: Chris Tucker <[EMAIL PROTECTED]> > > >Reply-To: A mailing list about Java Server Pages specification and > > >reference <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: Re: Login Authentication against database... > > >Date: Wed, 14 Nov 2001 11:29:59 -0800 > > > > > >MessageYou shouldn't need to do any comparisons at all in > your code. > >Use: > > > > > >String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE > LOWER(UserLoginId) = > > >LOWER('"+username+"') AND UserPassword = '"+password+"'"; > > >stmt = myConn.createStatement(); > > >myResultSet = stmt.executeQuery(sqlStr); > > >if( myResultSet.next() ) { > > > // we have a valid user! > > >} > > >else { > > > // we don't have a valid user! > > >} > > > > > >And make sure you catch and log any SQLExceptions that may > occur, as > > >they'll > > >help you out no end in debugging... > > > -----Original Message----- > > > From: A mailing list about Java Server Pages specification and > >reference > > >[mailto:[EMAIL PROTECTED]]On Behalf Of Praveen Potineni > > > Sent: Wednesday, November 14, 2001 11:20 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Login Authentication against database... > > > > > > > > > That's exactly what i did. I got only one record and > test if the user > > >exist. Else it goes to login screen. > > > But i still get the same error. Well i figured that i'm getting > >problem > > >comparing the 2 strings... > > > string coming out of database and the string entered by > user. Can u > > >check > > >the code and suggest me on this... > > > Thanks in advance > > > Praveen > > > > > > String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE > UserLoginId = > > >'"+username+"' AND UserPassword = '"+password+"'"; > > > stmt = myConn.createStatement(); > > > myResultSet = stmt.executeQuery(sqlStr); > > > if(myResultSet.next() == false) > > > { > > > log("resulset is null."); > > > } > > > else{ > > > log("resultset is true"); > > > > > > String uid = myResultSet.getString("UserLoginId"); > > > String upin = myResultSet.getString("UserPassword"); > > > > > > if ((username.equalsIgnoreCase(uid)) && > > >(password.equalsIgnoreCase(upin))){ > > > validUser = "true"; > > > } > > > else{ > > > validUser = "false"; > > > } > > > log("validUser is : " +validUser); > > > } > > > myResultSet.close(); > > > stmt.close(); > > > } > > > catch(SQLException sqle){ > > > //System.out.println("User Does not exist Exception: > > >+sqle.toString()"); > > > //log("DBObject.validUserExists: Exception: > "+sqle.toString()); > > > } > > > return validUser; > > > } > > > ----- Original Message ----- > > > From: Joe Cheng > > > To: [EMAIL PROTECTED] > > > Sent: Wednesday, November 14, 2001 1:45 PM > > > Subject: Re: Login Authentication against database... > > > > > > > > > Praveen- > > > > > > It looks like your query is retrieving the whole set > of users and > >then > > >iterating in Java to see if any of them match the > username/password the > > >user > > >entered. Why would you do that, rather than simply: > > > > > > SELECT * FROM users WHERE username = '<username > entered by user>' > >AND > > >password = '<password entered by user>'; > > > > > > and see if any rows are returned. If there are no rows, the > >username > > >and/or password was wrong. This way you don't have to > deal with so much > > >data, making it potentially much faster and less memory intensive. > > > > > > -jmc > > > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > >============================================================= > ============== > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > >JSP-INTEREST". > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > >DIGEST". > >Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > > >============================================================= > ============== > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > >JSP-INTEREST". > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > >DIGEST". > >Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > ============================================================== > ============= > To unsubscribe: mailto [EMAIL PROTECTED] with body: > "signoff JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
