Re: User Login via SQL Server...(ASP Pages)...

From: Mary Chipman (mchip@nomail.please)
Date: 03/24/03 

From: Mary Chipman <mchip@nomail.please>
Date: Mon, 24 Mar 2003 15:39:28 -0500

Even if your code did work, it would leave you vulnerable to SQL
Injection attacks. If the error isn't on the connection opening, then
the best way to test your query strings is to open a Query Analyzer
window and paste in the string. Sometimes it's just a proofreading
error. A better solution to the code you have here would be to create
a stored procedure that returns 0 or 1 if the user is found in the
users table, and pass the user name and password as parameter values
to the stored procedure. You want to validate all input parameters
both in your page and in your stored procedure. The way it is now it
would be a piece of cake for an attacker to get all the user names and
passwords in the database.

-- Mary
MCW Technologies
http://www.mcwtech.com

On Mon, 24 Mar 2003 11:44:50 +1100, "Luke" <lwoolhouse@janison.com.au>
wrote:

>I am trying to validate users via a SQL Server. But something is wrong with
>my code.
>I think i've seen every single tutorial and example on the net, however I
>can't get it to work.
>
>Any help would be nice. Am I going about the procedure correctly?
>
>Thanks,
>Luke
>
>Heres the asp code:
>
><%
> Dim objConnection, objRecordSet, strSQL
>
> Set objConnection = Server.CreateObject("ADODB.Connection")
> Set objRecordSet = Server.CreateObject("ADODB.Recordset")
>
> objConnection.Open "Provider=SQLOLEDB.1;Data Source=TRILLIAN;User
>ID=sqluser;Password=xxxxx;Initial Catalog=ComicChat"
>
> Dim strUsername, strPassword
> strUsername = Request.Form("UsernameBox")
> strPassword = Request.Form("PasswordBox")
>
> strSQL = "SELECT * FROM tblUsers "
> strSQL = strSQL & " WHERE Username='" & strUsername & "'"
> strSQL = strSQL & " AND Password='" & strPassword & "'"
>
> objRecordSet.Open strSQL, objConnection 'This bit isn't working...Is it
>because my SQL string is whack?
>
> Response.Write "Yes, the above code is really working..."
>%>
>

Relevant Pages

  • VBA SQL Server Stored Procedure creating a Pivot Table
    ... I have a SQL Server Stored Procedure ... Dim sWorkBookName As String ...
    (microsoft.public.excel.programming)
  • Re: Including BLOB vaules in INSERT SQL
    ... framework, you have the type of the column in the table which you are ... Now, with this, you create your SQL. ... // The sql string. ... making it impossible for injection attacks to occur is totally false. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Invalid CastException with SqlDBType
    ... Add(string*, SqlDbType, int, string**) ... The DateTime.Now is trying to cast into a int. ... not in Sql set up the column as identity and let it seed itself. ... > update a MS SQL Database with a stored procedure. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: SQL 2000: Inserting multiple rows into a single table
    ... and my question is on the order details. ... > to set up a stored procedure that essentially inserts in the orders ... I also need to do this via SQL 2000. ... > me a string of data per column for order details, ...
    (microsoft.public.sqlserver.programming)
  • Re: Stored Procedures
    ... Looking at your SQL statement, a "normal" stored procedure won't be ... Public Function vLookup(ByVal table As String, ... Dim StringToReturn As String ...
    (microsoft.public.dotnet.languages.vb)