Web application security

Discussion in 'ASP General' started by gdp, May 26, 2004.

  1. gdp

    gdp Guest

    Hi...

    I have to allow access for administrators to sections of my website which
    contain sensitive data. Ther is a link on the homepage called "Admin
    Login". They are asked for a PIN number which is a randon four letter four
    number combo and if they get that correct then have to enter their personal
    username and password.

    The text field inputs are cleaned before being used to make up dynamic SQL
    by replacing all apostrophes with the below function

    function clean(clean_this)
    clean=trim(replace(clean_this,"'","''"))
    end function


    Is this all safe....I am slightly uneasy about having the login on the
    website and it could be hidden in a special link only given to admins - but
    this is the same mechanism that ebay and amazon etc rely on to let people
    log in....

    Could somebody please advise me of any dangers of this approach

    thanks

    gdp
     
    gdp, May 26, 2004
    #1
    1. Advertising

  2. gdp wrote:

    > Hi...
    >
    > I have to allow access for administrators to sections of my website which
    > contain sensitive data. Ther is a link on the homepage called "Admin
    > Login". They are asked for a PIN number which is a randon four letter four
    > number combo and if they get that correct then have to enter their personal
    > username and password.
    >
    > The text field inputs are cleaned before being used to make up dynamic SQL
    > by replacing all apostrophes with the below function
    >
    > function clean(clean_this)
    > clean=trim(replace(clean_this,"'","''"))
    > end function
    >
    >
    > Is this all safe....I am slightly uneasy about having the login on the
    > website and it could be hidden in a special link only given to admins - but
    > this is the same mechanism that ebay and amazon etc rely on to let people
    > log in....


    One additional security measure against SQL injection is to check that
    the username and password exist once you've pulled out the user record.

    For example, to see if user is valid:

    SELECT * FROM users WHERE user_name='myname' AND user_pw='mypassword'

    Run this to pull out a recordset. First step is to check the recordcount
    is 1, i.e. you have found the record (user exists).

    But then you should check the username and password you pulled out with
    this query against the ones entered by the user.

    For example

    If rs("user_name")<>"myname" OR rs("user_pw")<>"mypassword" then
    response.redirect("error.asp")
    End if

    Even if you didn't use your clean function and someone codes an
    injection attack to return a record, the username and password pulled
    out won't match what they entered (because they entered SQL code, not a
    username/password) and they'll get bounced to your error page.



    --



    (remove Tony Blair from office to contact me)
     
    Captain Flack, May 26, 2004
    #2
    1. Advertising

  3. gdp wrote:
    > Hi...
    >
    > I have to allow access for administrators to sections of my website
    > which contain sensitive data. Ther is a link on the homepage called
    > "Admin Login". They are asked for a PIN number which is a randon
    > four letter four number combo and if they get that correct then have
    > to enter their personal username and password.
    >
    > The text field inputs are cleaned before being used to make up
    > dynamic SQL by replacing all apostrophes with the below function
    >
    > function clean(clean_this)
    > clean=trim(replace(clean_this,"'","''"))
    > end function
    >
    >
    > Is this all safe....I am slightly uneasy about having the login on the
    > website and it could be hidden in a special link only given to admins
    > - but this is the same mechanism that ebay and amazon etc rely on to
    > let people log in....
    >
    > Could somebody please advise me of any dangers of this approach
    >
    > thanks
    >
    > gdp


    The best defense against sql injection is to avoid dynamic sql. Pass
    parameters to stored procedures (or saved parameter queries if Jet).

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
     
    Bob Barrows [MVP], May 26, 2004
    #3
  4. gdp

    Alan Howard Guest

    Consider creating a stored proc that takes two params and returns a
    bit/bool, not a recordset. The proc can test the supplied username/password
    and return a true/false indication, there is no need to return the username
    and password to your application where the values could potentially be
    sniffed, and it avoids the whole dynamic SQL issue.

    e.g. (untested)

    create proc usp_Admin_TestLogin

    @username varchar(50),
    @password varchar(20),
    @success bit output

    as

    if exists (select * from Users where username = @username and password =
    @password)
    set @success = 1
    else
    set @success = 0

    return 0

    go


    Alan



    "gdp" <> wrote in message
    news:FOZsc.14132$...
    > Hi...
    >
    > I have to allow access for administrators to sections of my website which
    > contain sensitive data. Ther is a link on the homepage called "Admin
    > Login". They are asked for a PIN number which is a randon four letter

    four
    > number combo and if they get that correct then have to enter their

    personal
    > username and password.
    >
    > The text field inputs are cleaned before being used to make up dynamic SQL
    > by replacing all apostrophes with the below function
    >
    > function clean(clean_this)
    > clean=trim(replace(clean_this,"'","''"))
    > end function
    >
    >
    > Is this all safe....I am slightly uneasy about having the login on the
    > website and it could be hidden in a special link only given to admins -

    but
    > this is the same mechanism that ebay and amazon etc rely on to let people
    > log in....
    >
    > Could somebody please advise me of any dangers of this approach
    >
    > thanks
    >
    > gdp
    >
    >
     
    Alan Howard, May 26, 2004
    #4
  5. gdp

    gdp Guest

    thanks for the advice...appreciated


    "gdp" <> wrote in message
    news:FOZsc.14132$...
    > Hi...
    >
    > I have to allow access for administrators to sections of my website which
    > contain sensitive data. Ther is a link on the homepage called "Admin
    > Login". They are asked for a PIN number which is a randon four letter

    four
    > number combo and if they get that correct then have to enter their

    personal
    > username and password.
    >
    > The text field inputs are cleaned before being used to make up dynamic SQL
    > by replacing all apostrophes with the below function
    >
    > function clean(clean_this)
    > clean=trim(replace(clean_this,"'","''"))
    > end function
    >
    >
    > Is this all safe....I am slightly uneasy about having the login on the
    > website and it could be hidden in a special link only given to admins -

    but
    > this is the same mechanism that ebay and amazon etc rely on to let people
    > log in....
    >
    > Could somebody please advise me of any dangers of this approach
    >
    > thanks
    >
    > gdp
    >
    >
     
    gdp, May 27, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CES
    Replies:
    1
    Views:
    556
  2. Earl Teigrob
    Replies:
    3
    Views:
    593
    John Saunders
    Jun 10, 2004
  3. Sam Vanderstraeten

    Setting up security on my web application

    Sam Vanderstraeten, Aug 12, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    340
  4. Andy B
    Replies:
    0
    Views:
    284
    Andy B
    Aug 13, 2008
  5. Michael Randrup
    Replies:
    3
    Views:
    315
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page