How about misusing java.net.URLEncoder and java.net.URLDecoder? ie. Encode all strings before inserting it into the database and Decode when retrieving from the database.(faster than encrypting, I think)
I suspect this would eliminate most issues related to some prankster using SQL in a form such as this. I'm still a Uni student so please don't jump at me if I've missed something obvious, the above just seemed like a simple to implement solution, dunno about performance tho. ~Abhijit. At 08:11 AM 11/16/2001 -0800, you wrote: >I actually do a two stage authorization. I do use a >Select * from users where username=form.username > >but then I take the password received in the query and compare to >to the form.password. > >I do this because of password encryption, but it makes it harder >for someone to use inappropriate terms in the username box and still get >somewhere because the password keyed must match the one recovered. If >they put in 1=1 or anyone or any other value, there will be no password >recovered that >the second stage can use. > >Margaret > >-----Original Message----- >From: Glenn Wearen [mailto:[EMAIL PROTECTED]] >Sent: Friday, November 16, 2001 8:02 AM >To: [EMAIL PROTECTED] >Subject: Re: Login Authentication against database... > > >Similarly when the hacker knows a user ID (eg root) supplying a password >like (SELECT password from person where id=root) and variants of this may >work. Take a look @ >http://softwaredev.earthweb.com/java/article/0,,12082_883381,00.html for >security tips. > >Glenn > > > -----Original Message----- > > From: Bob Vú [mailto:[EMAIL PROTECTED]] > > Sent: Friday, November 16, 2001 6:46 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Login Authentication against database... > > > > > > Hi all, > > > > Wow, look what I started. Sorry, I could not reply during the day (at > > client site). Chris, David and Hans and others were right. > > If you are > > using the simple login authentication that was discussed here > > earlier, you > > will have to be careful. For example, the SQL discussed was: > > > > SELECT * FROM SAMM.UsersLogin > > WHERE UserLoginId ='"+username+ > > "' AND UserPassword = '"+password+"'"; > > > > When the hacker enter the following on your login page: > > > > UserName: x' or 1=1-- > > Password: x > > > > The SQL would be > > > > SELECT * FROM SAMM.UsersLogin > > WHERE UserLoginId ='x' or 1=1--' AND UserPassword = 'x'"; > > > > which would really be: > > SELECT * FROM SAMM.UsersLogin > > WHERE UserLoginId ='x' or 1=1 > > > > because anything after -- are comments > > > > Well, if the code discussed in the original email: > > if( myResultSet.next() ) { > > // we have a valid user! > > } > > > > is used to check for valid user, then bingo, you're in > > because your SQL will > > return all rows in the table. > > > > One way to resolve this is to use the JDBC PreparedStatement > > as discussed by > > Chris below or use JS to strip invalid characters before > > sending to the > > server. Of course, this is the easiest to do and will > > prevent the majority > > of the amateur hackers. > > > > Just a bit of warning to the JSP coders out there. Be > > careful and alert > > about possible loopholes in your security codes. > > > > Chao. > > > > > > > > > > > > >From: Chris Tucker <[EMAIL PROTECTED]> > > >Reply-To: A mailing list about Java Server Pages specification and > > >reference <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: Re: Login Authentication against database... > > >Date: Thu, 15 Nov 2001 09:34:09 -0800 > > > > > >Bob, > > > > > >I would hope that people are escaping any SQL characters in > > the username > > >parameter in the example below...anything else would be > > plain bad practice. > > >If you want JDBC to handle that stuff for you, you can do it > > robustly with: > > > > > >String psql = "SELECT * FROM SAMM.UsersLogin WHERE > > LOWER(UserLoginId) = > > >LOWER(?) AND UserPassword = ?"; > > >PreparedStatement psth = conn.prepareStatement(psql); > > >psth.setString(1, username); > > >psth.setString(2, password); > > >ResultSet rs = psth.executeQuery(); > > > > > >Chris > > > > > >-----Original Message----- > > >From: A mailing list about Java Server Pages specification > > and reference > > >[mailto:[EMAIL PROTECTED]]On Behalf Of Bob Vú > > >Sent: Thursday, November 15, 2001 7:43 AM > > >To: [EMAIL PROTECTED] > > >Subject: Re: Login Authentication against database... > > > > > > > > >For those of you who use this method of login authentication, use the > > >following username/password in your login page when you're > > done coding and > > >see what happens: > > > > > >UserName: x' or 1=1-- > > >Password: x > > > > > > > > > > > > > > > >From: Chris Tucker <[EMAIL PROTECTED]> > > > >Reply-To: A mailing list about Java Server Pages specification and > > > >reference <[EMAIL PROTECTED]> > > > >To: [EMAIL PROTECTED] > > > >Subject: Re: Login Authentication against database... > > > >Date: Wed, 14 Nov 2001 11:29:59 -0800 > > > > > > > >MessageYou shouldn't need to do any comparisons at all in > > your code. > > >Use: > > > > > > > >String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE > > LOWER(UserLoginId) = > > > >LOWER('"+username+"') AND UserPassword = '"+password+"'"; > > > >stmt = myConn.createStatement(); > > > >myResultSet = stmt.executeQuery(sqlStr); > > > >if( myResultSet.next() ) { > > > > // we have a valid user! > > > >} > > > >else { > > > > // we don't have a valid user! > > > >} > > > > > > > >And make sure you catch and log any SQLExceptions that may > > occur, as > > > >they'll > > > >help you out no end in debugging... > > > > -----Original Message----- > > > > From: A mailing list about Java Server Pages specification and > > >reference > > > >[mailto:[EMAIL PROTECTED]]On Behalf Of Praveen Potineni > > > > Sent: Wednesday, November 14, 2001 11:20 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: Login Authentication against database... > > > > > > > > > > > > That's exactly what i did. I got only one record and > > test if the user > > > >exist. Else it goes to login screen. > > > > But i still get the same error. Well i figured that i'm getting > > >problem > > > >comparing the 2 strings... > > > > string coming out of database and the string entered by > > user. Can u > > > >check > > > >the code and suggest me on this... > > > > Thanks in advance > > > > Praveen > > > > > > > > String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE > > UserLoginId = > > > >'"+username+"' AND UserPassword = '"+password+"'"; > > > > stmt = myConn.createStatement(); > > > > myResultSet = stmt.executeQuery(sqlStr); > > > > if(myResultSet.next() == false) > > > > { > > > > log("resulset is null."); > > > > } > > > > else{ > > > > log("resultset is true"); > > > > > > > > String uid = myResultSet.getString("UserLoginId"); > > > > String upin = myResultSet.getString("UserPassword"); > > > > > > > > if ((username.equalsIgnoreCase(uid)) && > > > >(password.equalsIgnoreCase(upin))){ > > > > validUser = "true"; > > > > } > > > > else{ > > > > validUser = "false"; > > > > } > > > > log("validUser is : " +validUser); > > > > } > > > > myResultSet.close(); > > > > stmt.close(); > > > > } > > > > catch(SQLException sqle){ > > > > //System.out.println("User Does not exist Exception: > > > >+sqle.toString()"); > > > > //log("DBObject.validUserExists: Exception: > > "+sqle.toString()); > > > > } > > > > return validUser; > > > > } > > > > ----- Original Message ----- > > > > From: Joe Cheng > > > > To: [EMAIL PROTECTED] > > > > Sent: Wednesday, November 14, 2001 1:45 PM > > > > Subject: Re: Login Authentication against database... > > > > > > > > > > > > Praveen- > > > > > > > > It looks like your query is retrieving the whole set > > of users and > > >then > > > >iterating in Java to see if any of them match the > > username/password the > > > >user > > > >entered. Why would you do that, rather than simply: > > > > > > > > SELECT * FROM users WHERE username = '<username > > entered by user>' > > >AND > > > >password = '<password entered by user>'; > > > > > > > > and see if any rows are returned. If there are no rows, the > > >username > > > >and/or password was wrong. This way you don't have to > > deal with so much > > > >data, making it potentially much faster and less memory intensive. > > > > > > > > -jmc > > > > > > > > >_________________________________________________________________ > > >Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > > >============================================================= > > ============== > > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > >JSP-INTEREST". > > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > > >DIGEST". > > >Some relevant FAQs on JSP/Servlets can be found at: > > > > > > http://archives.java.sun.com/jsp-interest.html > > > http://java.sun.com/products/jsp/faq.html > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > http://www.jguru.com/faq/index.jsp > > > http://www.jspinsider.com > > > > > >============================================================= > > ============== > > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > >JSP-INTEREST". > > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > > >DIGEST". > > >Some relevant FAQs on JSP/Servlets can be found at: > > > > > > http://archives.java.sun.com/jsp-interest.html > > > http://java.sun.com/products/jsp/faq.html > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > http://www.jguru.com/faq/index.jsp > > > http://www.jspinsider.com > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > ============================================================== > > ============= > > To unsubscribe: mailto [EMAIL PROTECTED] with body: > > "signoff JSP-INTEREST". > > For digest: mailto [EMAIL PROTECTED] with body: "set > > JSP-INTEREST DIGEST". > > Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > > >==========================================================================To >unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST >DIGEST". >Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff >JSP-INTEREST". >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". >Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
