>Just a side note. Be sure to force some pretty tight constraints on
your passwords.
>You should eliminate any ' and " from being allowable characters in the
password
>field of your DB and should check the user input from the web page for
these
>characters prior to comparing it to values in your DB. For instance,
say your
>query to verify the username/password ended with:
> "...WHERE username = '" + req.getParameter("username") + "' AND pwd
= '"
>+ req.getParameter("pwd") + "'");
>Hackers can exploit this by entering username "anything" and password
"hi' OR
>'a' = 'a", for example. In other words, allowing the ' and "
characters
>enables hackers to enter their own SQL code and potentially subvert the
>verification process.
A better approach I believe would be to do a replacement of all reserved
SQL characters wherever they appear in the SQL phrase parameters instead
of doing a validation.
In this code snippet that would mean replacing all " and ' with their
escaped equivalents just before the query is executed instead of not
allowing them. That way your program does not rely on some validation of
characters but instead guarantees that whatever String is passed to the
query, the query can handle it.
Regards Erik
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
