|
Home > Archive > IIS ASP > May 2004 > Web application security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Web application security
|
|
|
| Hi...
I have to allow access for administrators to sections of my website which
contain sensitive data. Ther is a link on the homepage called "Admin
Login". They are asked for a PIN number which is a randon four letter four
number combo and if they get that correct then have to enter their personal
username and password.
The text field inputs are cleaned before being used to make up dynamic SQL
by replacing all apostrophes with the below function
function clean(clean_this)
clean=trim(replace(clean_this,"'","''"))
end function
Is this all safe....I am slightly uneasy about having the login on the
website and it could be hidden in a special link only given to admins - but
this is the same mechanism that ebay and amazon etc rely on to let people
log in....
Could somebody please advise me of any dangers of this approach
thanks
gdp
| |
| Captain Flack 2004-05-30, 11:53 am |
| gdp wrote:
> Hi...
>
> I have to allow access for administrators to sections of my website which
> contain sensitive data. Ther is a link on the homepage called "Admin
> Login". They are asked for a PIN number which is a randon four letter four
> number combo and if they get that correct then have to enter their personal
> username and password.
>
> The text field inputs are cleaned before being used to make up dynamic SQL
> by replacing all apostrophes with the below function
>
> function clean(clean_this)
> clean=trim(replace(clean_this,"'","''"))
> end function
>
>
> Is this all safe....I am slightly uneasy about having the login on the
> website and it could be hidden in a special link only given to admins - but
> this is the same mechanism that ebay and amazon etc rely on to let people
> log in....
One additional security measure against SQL injection is to check that
the username and password exist once you've pulled out the user record.
For example, to see if user is valid:
SELECT * FROM users WHERE user_name='myname' AND user_pw='mypassword'
Run this to pull out a recordset. First step is to check the recordcount
is 1, i.e. you have found the record (user exists).
But then you should check the username and password you pulled out with
this query against the ones entered by the user.
For example
If rs("user_name")<>"myname" OR rs("user_pw")<>"mypassword" then
response.redirect("error.asp")
End if
Even if you didn't use your clean function and someone codes an
injection attack to return a record, the username and password pulled
out won't match what they entered (because they entered SQL code, not a
username/password) and they'll get bounced to your error page.
--
captain_flackTONYBLAIRFROMOFFICE@hotmail
.com
(remove Tony Blair from office to contact me)
| |
| Bob Barrows [MVP] 2004-05-30, 11:53 am |
| gdp wrote:
> Hi...
>
> I have to allow access for administrators to sections of my website
> which contain sensitive data. Ther is a link on the homepage called
> "Admin Login". They are asked for a PIN number which is a randon
> four letter four number combo and if they get that correct then have
> to enter their personal username and password.
>
> The text field inputs are cleaned before being used to make up
> dynamic SQL by replacing all apostrophes with the below function
>
> function clean(clean_this)
> clean=trim(replace(clean_this,"'","''"))
> end function
>
>
> Is this all safe....I am slightly uneasy about having the login on the
> website and it could be hidden in a special link only given to admins
> - but this is the same mechanism that ebay and amazon etc rely on to
> let people log in....
>
> Could somebody please advise me of any dangers of this approach
>
> thanks
>
> gdp
The best defense against sql injection is to avoid dynamic sql. Pass
parameters to stored procedures (or saved parameter queries if Jet).
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
| |
| Alan Howard 2004-05-30, 11:53 am |
| Consider creating a stored proc that takes two params and returns a
bit/bool, not a recordset. The proc can test the supplied username/password
and return a true/false indication, there is no need to return the username
and password to your application where the values could potentially be
sniffed, and it avoids the whole dynamic SQL issue.
e.g. (untested)
create proc usp_Admin_TestLogin
@username varchar(50),
@password varchar(20),
@success bit output
as
if exists (select * from Users where username = @username and password =
@password)
set @success = 1
else
set @success = 0
return 0
go
Alan
"gdp" <gp014i0613@blueyonder.co.uk> wrote in message
news:FOZsc.14132$UM1.14042@pathologist.blueyonder.net...
> Hi...
>
> I have to allow access for administrators to sections of my website which
> contain sensitive data. Ther is a link on the homepage called "Admin
> Login". They are asked for a PIN number which is a randon four letter
four
> number combo and if they get that correct then have to enter their
personal
> username and password.
>
> The text field inputs are cleaned before being used to make up dynamic SQL
> by replacing all apostrophes with the below function
>
> function clean(clean_this)
> clean=trim(replace(clean_this,"'","''"))
> end function
>
>
> Is this all safe....I am slightly uneasy about having the login on the
> website and it could be hidden in a special link only given to admins -
but
> this is the same mechanism that ebay and amazon etc rely on to let people
> log in....
>
> Could somebody please advise me of any dangers of this approach
>
> thanks
>
> gdp
>
>
| |
|
| thanks for the advice...appreciated
"gdp" <gp014i0613@blueyonder.co.uk> wrote in message
news:FOZsc.14132$UM1.14042@pathologist.blueyonder.net...
> Hi...
>
> I have to allow access for administrators to sections of my website which
> contain sensitive data. Ther is a link on the homepage called "Admin
> Login". They are asked for a PIN number which is a randon four letter
four
> number combo and if they get that correct then have to enter their
personal
> username and password.
>
> The text field inputs are cleaned before being used to make up dynamic SQL
> by replacing all apostrophes with the below function
>
> function clean(clean_this)
> clean=trim(replace(clean_this,"'","''"))
> end function
>
>
> Is this all safe....I am slightly uneasy about having the login on the
> website and it could be hidden in a special link only given to admins -
but
> this is the same mechanism that ebay and amazon etc rely on to let people
> log in....
>
> Could somebody please advise me of any dangers of this approach
>
> thanks
>
> gdp
>
>
|
|
|
|
|