Web application security

[gdp]

Hi...

I have to allow access for administrators to sections of my website which
contain sensitive data. Ther is a link on the homepage called "Admin
Login". They are asked for a PIN number which is a randon four letter four
number combo and if they get that correct then have to enter their personal
username and password.

The text field inputs are cleaned before being used to make up dynamic SQL
by replacing all apostrophes with the below function

function clean(clean_this)
clean=trim(replace(clean_this,"'","''"))
end function


Is this all safe....I am slightly uneasy about having the login on the
website and it could be hidden in a special link only given to admins - but
this is the same mechanism that ebay and amazon etc rely on to let people
log in....

Could somebody please advise me of any dangers of this approach

thanks

gdp

 

[Captain Flack]

Hi...

I have to allow access for administrators to sections of my website which
contain sensitive data. Ther is a link on the homepage called "Admin
Login". They are asked for a PIN number which is a randon four letter four
number combo and if they get that correct then have to enter their personal
username and password.

The text field inputs are cleaned before being used to make up dynamic SQL
by replacing all apostrophes with the below function

function clean(clean_this)
clean=trim(replace(clean_this,"'","''"))
end function


Is this all safe....I am slightly uneasy about having the login on the
website and it could be hidden in a special link only given to admins - but
this is the same mechanism that ebay and amazon etc rely on to let people
log in....

One additional security measure against SQL injection is to check that
the username and password exist once you've pulled out the user record.

For example, to see if user is valid:

SELECT * FROM users WHERE user_name='myname' AND user_pw='mypassword'

Run this to pull out a recordset. First step is to check the recordcount
is 1, i.e. you have found the record (user exists).

But then you should check the username and password you pulled out with
this query against the ones entered by the user.

For example

If rs("user_name")<>"myname" OR rs("user_pw")<>"mypassword" then
response.redirect("error.asp")
End if

Even if you didn't use your clean function and someone codes an
injection attack to return a record, the username and password pulled
out won't match what they entered (because they entered SQL code, not a
username/password) and they'll get bounced to your error page.

 

[Bob Barrows [MVP]]

Hi...

I have to allow access for administrators to sections of my website
which contain sensitive data. Ther is a link on the homepage called
"Admin Login". They are asked for a PIN number which is a randon
four letter four number combo and if they get that correct then have
to enter their personal username and password.

The text field inputs are cleaned before being used to make up
dynamic SQL by replacing all apostrophes with the below function

function clean(clean_this)
clean=trim(replace(clean_this,"'","''"))
end function


Is this all safe....I am slightly uneasy about having the login on the
website and it could be hidden in a special link only given to admins
- but this is the same mechanism that ebay and amazon etc rely on to
let people log in....

Could somebody please advise me of any dangers of this approach

thanks

gdp

The best defense against sql injection is to avoid dynamic sql. Pass
parameters to stored procedures (or saved parameter queries if Jet).

Bob Barrows

 

[Alan Howard]

Consider creating a stored proc that takes two params and returns a
bit/bool, not a recordset. The proc can test the supplied username/password
and return a true/false indication, there is no need to return the username
and password to your application where the values could potentially be
sniffed, and it avoids the whole dynamic SQL issue.

e.g. (untested)

create proc usp_Admin_TestLogin

@username varchar(50),
@password varchar(20),
@success bit output

as

if exists (select * from Users where username = @username and password =
@password)
set @success = 1
else
set @success = 0

return 0

go


Alan

 

[gdp]

thanks for the advice...appreciated