Re: user authentication by SQL lookup

From: "Misbah Arefin" <MisbahArefin@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 19 Apr 2008 21:31:55 -0700

This is exactly what we do with out MembershipProviders i.e. return just the count or the PK matching the username and password.

If the password is stored in plain text then it can be checked either in SQL or .NET code but I would prefer not returning the password from SQL. You are already checking for username in your WHERE clause why not also check for password and return just the id or count (integer - 4 bytes) instead of text (length of password bytes).

If the password is encrypted (and cant be decrypted) then you need to pass in the encrypted password to your proc and return a value indicating successful match or not.

--
Misbah Arefin
https://mcp.support.microsoft.com/profile/MISBAH.AREFIN
http://www.linkedin.com/in/misbaharefin

"Paulo Tetovisk" <pelasaco@xxxxxxxxx> wrote in message news:eQfLlY2mIHA.1768@xxxxxxxxxxxxxxxxxxxxxxx

Hello,

I have a doubt, maybe related with "Best Pratices" and "How to do a securely SQL Lookup to authenticate a user against a Database".

It's a simple solution, everybody nows how to do, but what's more secure ?

Send the query or SP with the following statement:
"SELECT COUNT(*) FROM tb_users WHERE uid = 'foo' AND passwd = 'hashedpassword'" and then check if the answer is 0 or 1 ?

Or

Send a query like "SELECT passwd FROM tb_users WHERE uid = 'foo'" and then you do the password validation on the webserver that host your application ?

The secound solution has a pro: It "saves" SQL processing, but in the another hand you send your password hash in throught your password, i don't think that is the most secure solution. Has the first option any con ?

Thanks in advance!

PT

References:
- user authentication by SQL lookup
  - From: Paulo Tetovisk

Prev by Date: Re: ADSI - Able to authenticate but unable to get memberOf informa
Next by Date: Internet Explorer zones do not have secure settings for some users
Previous by thread: user authentication by SQL lookup
Next by thread: configure SSL
Index(es):
- Date
- Thread

Relevant Pages

RE: How to evade white spaces in a SQL injection
... The 2nd one is more likely since they're proably adding the ' character to ... So you'd enter '+1-- as the username. ... +1 tells sql to add 1 to a character field, which it can't do, the -- ... comments out the remainder of the query so it doesn't get parsed. ...
(Pen-Test)
Append/copy calling a module switches data
... I've taken the SQL from the previous posting (graciously ... When I run the query just by itself it does create a copy and put "dlongton" ... leaving the UserName in the original record as it was ... CreatedBy) in the original record and the newly copied record...it's driving ...
(microsoft.public.access.queries)
Re: Authorization code for access to administration - Dialog ask for login and password three ti
... As you wrote that if I want more secure code, I would ask, do you ... username password pair which should be unique. ... so the query is too ambiguous for my taste. ... Injection isnt possible into the AUTH_PASSWORD variable here, ...
(comp.lang.php)
Re: apiGetUserName Lib "advapi32.dll"
... You create a pass-through query so that the SQL is executed on the SQL ... But this gets me the windows username with which I am logged on to the ...
(microsoft.public.access.formscoding)
Re: apiGetUserName Lib "advapi32.dll"
... property of the query. ... I expect the pass-thru' query we discussed should give me the username ... You create a pass-through query so that the SQL is executed on the SQL ...
(microsoft.public.access.formscoding)