Firstly, thanks very much to Bob for flagging this. For my user authentication with simple form-based/database login I'm doing the following:
sql query: "select * from users" I then scroll through the ResultSet checking for username/password matches with the String.equals() method. Because the sql query is not built with any user input a would be cracker can't affect it, which I would have thought would make this method more secure. I should point out that this is going to be a fairly low traffic site (maybe 100 hits a day) with a fairly small number of users. I realise that this would entail a performance hit on the database if I had a large number of users. I've also got a string formatting bean which strips special characters out of user input at the login page. Is this an acceptable method (code/performance-wise) for a small site do you think or would I be better using a more selective query given that my string formatting bean would stop this exploit anyway? thanks, Paul > -----Original Message----- > From: Bob V� [mailto:[EMAIL PROTECTED]] > Sent: 16 November 2001 06:46 > To: [EMAIL PROTECTED] > Subject: Re: Login Authentication against database... > > > Hi all, > > Wow, look what I started. Sorry, I could not reply during the day (at > client site). Chris, David and Hans and others were right. > If you are > using the simple login authentication that was discussed here > earlier, you > will have to be careful. For example, the SQL discussed was: > > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='"+username+ > "' AND UserPassword = '"+password+"'"; > > When the hacker enter the following on your login page: > > UserName: x' or 1=1-- > Password: x > > The SQL would be > > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='x' or 1=1--' AND UserPassword = 'x'"; > > which would really be: > SELECT * FROM SAMM.UsersLogin > WHERE UserLoginId ='x' or 1=1 > > because anything after -- are comments > > Well, if the code discussed in the original email: > if( myResultSet.next() ) { > // we have a valid user! > } > > is used to check for valid user, then bingo, you're in > because your SQL will > return all rows in the table. > > One way to resolve this is to use the JDBC PreparedStatement > as discussed by > Chris below or use JS to strip invalid characters before > sending to the > server. Of course, this is the easiest to do and will > prevent the majority > of the amateur hackers. > > Just a bit of warning to the JSP coders out there. Be > careful and alert > about possible loopholes in your security codes. > > Chao. > > > > > > >From: Chris Tucker <[EMAIL PROTECTED]> > >Reply-To: A mailing list about Java Server Pages specification and > >reference <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Login Authentication against database... > >Date: Thu, 15 Nov 2001 09:34:09 -0800 > > > >Bob, > > > >I would hope that people are escaping any SQL characters in > the username > >parameter in the example below...anything else would be > plain bad practice. > >If you want JDBC to handle that stuff for you, you can do it > robustly with: > > > >String psql = "SELECT * FROM SAMM.UsersLogin WHERE > LOWER(UserLoginId) = > >LOWER(?) AND UserPassword = ?"; > >PreparedStatement psth = conn.prepareStatement(psql); > >psth.setString(1, username); > >psth.setString(2, password); > >ResultSet rs = psth.executeQuery(); > > > >Chris > > > >-----Original Message----- > >From: A mailing list about Java Server Pages specification > and reference > >[mailto:[EMAIL PROTECTED]]On Behalf Of Bob V� > >Sent: Thursday, November 15, 2001 7:43 AM > >To: [EMAIL PROTECTED] > >Subject: Re: Login Authentication against database... > > > > > >For those of you who use this method of login authentication, use the > >following username/password in your login page when you're > done coding and > >see what happens: > > > >UserName: x' or 1=1-- > >Password: x > > > > > > > > > > >From: Chris Tucker <[EMAIL PROTECTED]> > > >Reply-To: A mailing list about Java Server Pages specification and > > >reference <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: Re: Login Authentication against database... > > >Date: Wed, 14 Nov 2001 11:29:59 -0800 > > > > > >MessageYou shouldn't need to do any comparisons at all in > your code. > >Use: > > > > > >String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE > LOWER(UserLoginId) = > > >LOWER('"+username+"') AND UserPassword = '"+password+"'"; > > >stmt = myConn.createStatement(); > > >myResultSet = stmt.executeQuery(sqlStr); > > >if( myResultSet.next() ) { > > > // we have a valid user! > > >} > > >else { > > > // we don't have a valid user! > > >} > > > > > >And make sure you catch and log any SQLExceptions that may > occur, as > > >they'll > > >help you out no end in debugging... > > > -----Original Message----- > > > From: A mailing list about Java Server Pages specification and > >reference > > >[mailto:[EMAIL PROTECTED]]On Behalf Of Praveen Potineni > > > Sent: Wednesday, November 14, 2001 11:20 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Login Authentication against database... > > > > > > > > > That's exactly what i did. I got only one record and > test if the user > > >exist. Else it goes to login screen. > > > But i still get the same error. Well i figured that i'm getting > >problem > > >comparing the 2 strings... > > > string coming out of database and the string entered by > user. Can u > > >check > > >the code and suggest me on this... > > > Thanks in advance > > > Praveen > > > > > > String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE > UserLoginId = > > >'"+username+"' AND UserPassword = '"+password+"'"; > > > stmt = myConn.createStatement(); > > > myResultSet = stmt.executeQuery(sqlStr); > > > if(myResultSet.next() == false) > > > { > > > log("resulset is null."); > > > } > > > else{ > > > log("resultset is true"); > > > > > > String uid = myResultSet.getString("UserLoginId"); > > > String upin = myResultSet.getString("UserPassword"); > > > > > > if ((username.equalsIgnoreCase(uid)) && > > >(password.equalsIgnoreCase(upin))){ > > > validUser = "true"; > > > } > > > else{ > > > validUser = "false"; > > > } > > > log("validUser is : " +validUser); > > > } > > > myResultSet.close(); > > > stmt.close(); > > > } > > > catch(SQLException sqle){ > > > //System.out.println("User Does not exist Exception: > > >+sqle.toString()"); > > > //log("DBObject.validUserExists: Exception: > "+sqle.toString()); > > > } > > > return validUser; > > > } > > > ----- Original Message ----- > > > From: Joe Cheng > > > To: [EMAIL PROTECTED] > > > Sent: Wednesday, November 14, 2001 1:45 PM > > > Subject: Re: Login Authentication against database... > > > > > > > > > Praveen- > > > > > > It looks like your query is retrieving the whole set > of users and > >then > > >iterating in Java to see if any of them match the > username/password the > > >user > > >entered. Why would you do that, rather than simply: > > > > > > SELECT * FROM users WHERE username = '<username > entered by user>' > >AND > > >password = '<password entered by user>'; > > > > > > and see if any rows are returned. If there are no rows, the > >username > > >and/or password was wrong. This way you don't have to > deal with so much > > >data, making it potentially much faster and less memory intensive. > > > > > > -jmc > > > > > >_________________________________________________________________ > >Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > >============================================================= > ============== > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > >JSP-INTEREST". > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > >DIGEST". > >Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > > >============================================================= > ============== > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > >JSP-INTEREST". > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > >DIGEST". > >Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > ============================================================== > ============= > To unsubscribe: mailto [EMAIL PROTECTED] with body: > "signoff JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
