Hello: Wow, this is a really cool discussion. I'm not Bob :) but how about stripping white spaces from the username and password strings before sending the query back to the DB?
That should solve most if not all problems with "embedded" statements. Syed -----Original Message----- From: Chen, Gin [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 12:20 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Thats interesting. I didnt realize that he meant it as a single string value. Actually what you mean is that the query would be "select * from username='x' or 1=1 --' and password='x'" Notice that the extra ' that gave me an error before is not behind the comment marker Nice Catch Bob. Now what security measure do you suggest? -Tim -----Original Message----- From: David Nguyen [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 12:53 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Interesting. Actually what he wanted to point out is a possible loophole in the auhentication method discussed. I can imagine if this query is launched: "select * from username='anybody' or 1=1 -- and password='tiger'" then anybody can access the application (since the -- would make the password irrelevant. With Bob's parameter, the query would be "select * from username='anybody'' or 1=1' -- and password='tiger'" here the string anybody is 'anybody" or 1=1' (I didn't try though) david -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Joe Cheng Sent: Thursday, November 15, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Celeste, what's a "more secure" means? now you've got me curious. and Bob wasn't pointing out a loophole, just calling attention to the non-escaped values in the SQL statement below. -jmc =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
