Form login

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Paulo - 06 Nov 2007 19:55 GMT

Hi, how can I do a form login that user types login and pwd and it
authenticates from xml file, because if "select login,pwd from tbluser where
login=txtTypedLogin and pwd=txtTypedPwd" on access db is not safe... dont u
think? any alternatives?

Thanks!

Reply to this Message

Bob Barrows [MVP] - 06 Nov 2007 20:07 GMT

> Hi, how can I do a form login that user types login and pwd and it
> authenticates from xml file, because if "select login,pwd from
> tbluser where login=txtTypedLogin and pwd=txtTypedPwd" on access db
> is not safe... dont u think? any alternatives?

If you are using dynamic sql then yes, you are leaving yourself
vulnerable to sql injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36
562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:

Access:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%4
0TK2MSFTNGP12.phx.gbl

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.402
0%40tk2msftngp13.phx.gbl

Signature

Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Reply to this Message

Brynn - 24 Nov 2007 19:05 GMT

On Nov 6, 2:07 pm, "Bob Barrows [MVP]" <reb01...@NOyahoo.SPAMcom>
wrote:

> > Hi, how can I do a form login that user types login and pwd and it
> > authenticates from xml file, because if "select login,pwd from
[quoted text clipped - 20 lines]
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.

Aren't you only leaving yourself open for sql injection if you don't
make sure that certain characters aren't in the string before you
allow them into your sql string. Like making sure that they are number
and letters only first with scripts.

Reply to this Message

Bob Barrows [MVP] - 24 Nov 2007 21:50 GMT

> Aren't you only leaving yourself open for sql injection if you don't
> make sure that certain characters aren't in the string before you
> allow them into your sql string. Like making sure that they are number
> and letters only first with scripts.

No. That's a start, but clever hackers can find ways to defeat
security-by-validation-only. Go back and look at the links I posted. They
show a couple ways, but there are more.

The only way to be sure of preventing SQL Injection is to not use
concatenation to build query strings. Use parameters. Not only are they more
secure, they are also easier to use (you don't have to worry about
delimiters, for starters). Definitely a win-win solution, in my mind.

Don't neglect server-side validation of user inputs just because you are
using parameters. You want to be able to detect hack attempts at an early
stage...

Signature

Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Reply to this Message

Brynn - 28 Nov 2007 19:51 GMT

On Nov 24, 3:50 pm, "Bob Barrows [MVP]" <reb01...@NOyahoo.SPAMcom>
wrote:

> > Aren't you only leaving yourself open for sql injection if you don't
> > make sure that certain characters aren't in the string before you
[quoted text clipped - 19 lines]
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"

Thanks for those links Bob ... I am going to read every page of those
sites.

Reply to this Message

Webmaster Forum / ASP / Database Access / November 2007

Form login