Form login
am 06.11.2007 20:55:03 von PaulO
Hi, how can I do a form login that user types login and pwd and it
authenticates from xml file, because if "select login,pwd from tbluser where
login=txtTypedLogin and pwd=txtTypedPwd" on access db is not safe... dont u
think? any alternatives?
Thanks!
Re: Form login
am 06.11.2007 21:07:29 von reb01501
Paulo wrote:
> Hi, how can I do a form login that user types login and pwd and it
> authenticates from xml file, because if "select login,pwd from
> tbluser where login=txtTypedLogin and pwd=txtTypedPwd" on access db
> is not safe... dont u think? any alternatives?
>
If you are using dynamic sql then yes, you are leaving yourself
vulnerable to sql injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e
Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:
Access:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&sel m=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Re: Form login
am 24.11.2007 20:05:41 von Brynn
On Nov 6, 2:07 pm, "Bob Barrows [MVP]"
wrote:
> Paulo wrote:
> > Hi, how can I do a form login that user types login and pwd and it
> > authenticates from xml file, because if "select login,pwd from
> > tbluser where login=txtTypedLogin and pwd=txtTypedPwd" on access db
> > is not safe... dont u think? any alternatives?
>
> If you are using dynamic sql then yes, you are leaving yourself
> vulnerable to sql injection:http://mvp.unixwiz.net/techtips/sql-injection.html http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>
> See here for a better, more secure way to execute your queries by using
> parameter markers:http://groups-beta.google.com/group/microsoft.public .inetserver.asp.d...
>
> Personally, I prefer using stored procedures, or saved parameter queries
> as
> they are known in Access:
>
> Access:http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UT F-8&selm=e6lLVvO...
>
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=eHYx...
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
Aren't you only leaving yourself open for sql injection if you don't
make sure that certain characters aren't in the string before you
allow them into your sql string. Like making sure that they are number
and letters only first with scripts.
Re: Form login
am 24.11.2007 22:50:24 von reb01501
Brynn wrote:
>>
> Aren't you only leaving yourself open for sql injection if you don't
> make sure that certain characters aren't in the string before you
> allow them into your sql string. Like making sure that they are number
> and letters only first with scripts.
No. That's a start, but clever hackers can find ways to defeat
security-by-validation-only. Go back and look at the links I posted. They
show a couple ways, but there are more.
The only way to be sure of preventing SQL Injection is to not use
concatenation to build query strings. Use parameters. Not only are they more
secure, they are also easier to use (you don't have to worry about
delimiters, for starters). Definitely a win-win solution, in my mind.
Don't neglect server-side validation of user inputs just because you are
using parameters. You want to be able to detect hack attempts at an early
stage...
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Re: Form login
am 28.11.2007 20:51:48 von Brynn
On Nov 24, 3:50 pm, "Bob Barrows [MVP]"
wrote:
> Brynn wrote:
>
> > Aren't you only leaving yourself open for sql injection if you don't
> > make sure that certain characters aren't in the string before you
> > allow them into your sql string. Like making sure that they are number
> > and letters only first with scripts.
>
> No. That's a start, but clever hackers can find ways to defeat
> security-by-validation-only. Go back and look at the links I posted. They
> show a couple ways, but there are more.
>
> The only way to be sure of preventing SQL Injection is to not use
> concatenation to build query strings. Use parameters. Not only are they more
> secure, they are also easier to use (you don't have to worry about
> delimiters, for starters). Definitely a win-win solution, in my mind.
>
> Don't neglect server-side validation of user inputs just because you are
> using parameters. You want to be able to detect hack attempts at an early
> stage...
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
Thanks for those links Bob ... I am going to read every page of those
sites.