Suggestion.
If your servlet container is Tomcat, you can setup the security and activate
the login management directy within Tomcat :
. setup the security (role name) in the web.xml file from the WEB_INF folder
of your application path
. define the database connection and security tables and columns to use in
in the target database in the server.xml file from the conf folder of
Tomcat.
It avoids a lot of 'levels of hacking'.... as long as you conf folders do
not reside in standard installation folders.
Moreover....no coding is required, and you don't have to take care of
managing connections along sessions.
Cheers.
Laurent
----- Original Message -----
From: "Erik Beijnoff" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 14, 2004 2:59 PM
Subject: Re: creating password authentication servlet with mysql db
> >Just a side note. Be sure to force some pretty tight constraints on
> your passwords.
> >You should eliminate any ' and " from being allowable characters in the
> password
> >field of your DB and should check the user input from the web page for
> these
> >characters prior to comparing it to values in your DB. For instance,
> say your
> >query to verify the username/password ended with:
>
> > "...WHERE username = '" + req.getParameter("username") + "' AND pwd
> = '"
> >+ req.getParameter("pwd") + "'");
>
> >Hackers can exploit this by entering username "anything" and password
> "hi' OR
> >'a' = 'a", for example. In other words, allowing the ' and "
> characters
> >enables hackers to enter their own SQL code and potentially subvert the
>
> >verification process.
>
> A better approach I believe would be to do a replacement of all reserved
> SQL characters wherever they appear in the SQL phrase parameters instead
> of doing a validation.
>
> In this code snippet that would mean replacing all " and ' with their
> escaped equivalents just before the query is executed instead of not
> allowing them. That way your program does not rely on some validation of
> characters but instead guarantees that whatever String is passed to the
> query, the query can handle it.
>
> Regards Erik
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
