Since we're talking Java here, PreparedStatement is the simple solution to this problem. It's been discussed in more detail here before so search the archives if you don't understand how it solves the problem.
Hans Christian Bollmeyer (GMX) wrote:
Hi everyone, considering the security question, I was kind of short in just recommending SSL. Of course, this is not enough, but this issue just came to my mind afterwards. Probably the two most important statements on security issues are: 1. Never trust your users, and 2. Never trust input data - always validate before processing it. I'll give an example for that to show what I mean. Consider a common login form, used for sending the credentials to your app. This form, as most others in the real world, sports two fields where the user may enter his username and password, among other things. This information is then sent to your application for further processing, well guarded against all kinds of external attacks by SSL or even a tunnelled IPSEC connection. Now, how would you authenticate these credentials against an SQL database? The most obvious way would be to have a user table where you store a list of valid users and their passwords. You may even encrypt everything, if you like, it doesn't matter. In any case, somewhere in your application, you somewhere issue a SQL statement to validate the credentials given. It may very likely look like this: SELECT * FROM valid_users WHERE UPPER(username) = UPPER(:username) AND password = :password or even SELECT '#' FROM valid_users WHERE UPPER(username) = UPPER(:username) AND password = :password if you don't need additional info and just want to check if the query returns data or not. Now, user#1 logs in, knowing nothing about technical intricacies and just wanting to do his work. Given that he's listed in the VALID_USERS table, the query is expanded to this: SELECT * FROM valid_users WHERE UPPER(username) = UPPER(scott) AND password = tiger This will work just fine in 99% of all cases. But then, probably someone like me or you enters the scenario, bearing nothing really good in mind for whatever reason thinkable of. Given that I'd know or guess the login name of the DBA, I could easily enter something like this into the aforementioned login form: Username: SYS Password: dontKnow OR 1 = 1 If the authentication part of your app is still implemented in the aforementioned way, this, of course, will expand to: SELECT '#' FROM valid_users WHERE UPPER(username) = UPPER(:username) AND password = dontKnow OR 1 = 1 Yes. SYS access...let's see what I can do. Always wondered about the mystic DROP DATABASE noone really ever uses... and will they have backups at hand? Serves them right! And so on. But I think you get what I mean. It doesn't suffice to just have secure connections, for this would work fine as well if I'd just be user JohnDoe from the marketing division, SSL for instance doesn't make any difference in this direction. So *please* look out for trapholes like this in your app code. Solution strategies to avoid a possible disaster would have been to simply check for valid characters in the credential strings and rejecting just that humble '=' sign; with regular expressions, this is just another line, but there are many other strategies ensuring only valid data in the way of [a-zA-Z0-9] may be be processed. Just an example, maybe, still one I forgot to mention before. -- Chris (SCPJ2) ------------------------------------------------------- To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant archives, FAQs and Forums on JSPs can be found at: http://java.sun.com/products/jsp http://archives.java.sun.com/jsp-interest.html http://forums.java.sun.com http://www.jspinsider.com
-- Hans Bergsten <[EMAIL PROTECTED]> Gefion Software <http://www.gefionsoftware.com/> Author of O'Reilly's "JavaServer Pages", covering JSP 1.2 and JSTL 1.0 Details at <http://TheJSPBook.com/> =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant archives, FAQs and Forums on JSPs can be found at: http://java.sun.com/products/jsp http://archives.java.sun.com/jsp-interest.html http://forums.java.sun.com http://www.jspinsider.com
