Bob V� wrote:
> Hi all,
>
> Wow, look what I started. Sorry, I could not reply during the day (at
> client site). Chris, David and Hans and others were right. If you are
> using the simple login authentication that was discussed here earlier, you
> will have to be careful. For example, the SQL discussed was:
>
> SELECT * FROM SAMM.UsersLogin
> WHERE UserLoginId ='"+username+
> "' AND UserPassword = '"+password+"'";
>
> When the hacker enter the following on your login page:
>
> UserName: x' or 1=1--
> Password: x
>
> The SQL would be
>
> SELECT * FROM SAMM.UsersLogin
> WHERE UserLoginId ='x' or 1=1--' AND UserPassword = 'x'";
>
> which would really be:
> SELECT * FROM SAMM.UsersLogin
> WHERE UserLoginId ='x' or 1=1
>
> because anything after -- are comments
>
> Well, if the code discussed in the original email:
> if( myResultSet.next() ) {
> // we have a valid user!
> }
>
> is used to check for valid user, then bingo, you're in because your SQL
> will
> return all rows in the table.
>
> One way to resolve this is to use the JDBC PreparedStatement as
> discussed by
> Chris below or use JS to strip invalid characters before sending to the
> server. Of course, this is the easiest to do and will prevent the majority
> of the amateur hackers.
>
> Just a bit of warning to the JSP coders out there. Be careful and alert
> about possible loopholes in your security codes.
Be careful is correct, but that includes not relying on "JS to strip
invalid characters before sending to the server" ;-) It's easy to
disable JavaScript in a browser, and some doesn't support it to
begin with. Therefore you must always validate the data on the server,
even if you use JS in the client to provide a more interactive interface
for those that have JS activated. I suggest you look into using
PreparedStatements. It's not rocket science and it solves the problem
nicely. Even better, use a custom tag library that removes all the
scripting code for stuff like this from the JSP pages. Two free
examples I know of:
* The tag library described in my JSP book:
<http://TheJSPBook.com/>
* The dbtags library at Jakarta Taglibs:
<http://jakarta.apache.org/taglibs/>
My company also sells a commercial tag library with this functionality,
and a lot more:
* InstantOnline Basic
<http://www.gefionsoftware.com/InstantOnline/Basic/>
Hans
--
Hans Bergsten [EMAIL PROTECTED]
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
