Hi y'all,
last week there was a short note in some german computer magazine that
there are problems with apache and sql based authentication, because
very often the query strings where put together from the data the user
provided in the login dialog without any checks. And this is the crucial
point because you can insert valid sql as username. With this message in
mind I checked tomcats JDBCRealm Interceptor. In method
authenticate(String username, String credentials) it says
if (preparedAuthenticate == null) {
String sql = "SELECT " + userCredCol + " FROM " +
userTable +
" WHERE " + userNameCol + " = ?";
if (debug >= 1)
log("JDBCRealm.authenticate: " + sql);
preparedAuthenticate =
dbConnection.prepareStatement(sql);
}
// Perform the authentication search
preparedAuthenticate.setString(1, username);
So it seems like possible to enter sql, e.g at least a simple subselect,
as username. Any real jdbc/sql wizards out there who can make any
comments on this?
Peter
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
