Better yet, use a prepared statement with the userid and password as parameters. This way, there is no way that content from the browser can alter the SQL statement.
-----Original Message----- From: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. [mailto:[EMAIL PROTECTED] Behalf Of Erik Beijnoff Sent: Monday, June 14, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: Re: creating password authentication servlet with mysql db >Just a side note. Be sure to force some pretty tight constraints on your passwords. >You should eliminate any ' and " from being allowable characters in the password >field of your DB and should check the user input from the web page for these >characters prior to comparing it to values in your DB. For instance, say your >query to verify the username/password ended with: > "...WHERE username = '" + req.getParameter("username") + "' AND pwd = '" >+ req.getParameter("pwd") + "'"); >Hackers can exploit this by entering username "anything" and password "hi' OR >'a' = 'a", for example. In other words, allowing the ' and " characters >enables hackers to enter their own SQL code and potentially subvert the >verification process. A better approach I believe would be to do a replacement of all reserved SQL characters wherever they appear in the SQL phrase parameters instead of doing a validation. In this code snippet that would mean replacing all " and ' with their escaped equivalents just before the query is executed instead of not allowing them. That way your program does not rely on some validation of characters but instead guarantees that whatever String is passed to the query, the query can handle it. Regards Erik ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator.(A) ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
