Asp validation problem

P

Paul M

Hi
This is still driving me mad
I have a form Which with username and password fields.the form submits to a
login validation asp script
To stop SQL injection I need to Filter out server side character like single
quote, double quote, slash, back slash, semi colon, extended character like
NULL, carry return, new line, etc,
I know I need to add some validation asp script to the validation asp page
but I have been looking on the web and I can't find any tutorials
Please help this one is driving me insane
Paul M
 
T

Thomas A. Rowe

Paul, the main issue when using Access would be at a minimum, the single quote, as SQL Injection is
dependent on the database and the driver.

This is what I generally use:

User = Trim(Replace(Request.Form("UserID"), "'", "''"))
Pword = Trim(Replace(Request.Form("Password"), "'", "''"))

SELECT * FROM LoginTable WHERE Login='" & User & "' AND Password= '" & Pword & "'"

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
T

Thomas A. Rowe

I don't understand why the logonvalidate.asp page is written to loop thru the recordset, as the only
thing that needs to happen is that login/password combination is valid, and then set a session to
indicate login status and then redirect the user to protected content, etc.

There is no reason to store the username or password in a session.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Hi Thomas
Is it so even if you can use the password protected pages again without
having to login?
The fields I use are "user_name" and "pass_word" these are the fields the
query searches
I would really appreciate it it you could help by showing your example with
my fields in as i don't quete grasp some of the names you use Pword or
password and where to substitute my field names
Thanks Thomas
I only discovered sql injection today and i find it worying
Paul M
 
T

Thomas A. Rowe

User = Trim(Replace(Request.Form("user_name"), "'", "''"))
Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))


SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND pass_word= '" & Pword & "'"

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Thank you so much Thomas
Paul M

Thomas A. Rowe said:
User = Trim(Replace(Request.Form("user_name"), "'", "''"))
Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))


SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND pass_word=
'" & Pword & "'"

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
Click to expand...
 
P

Paul M

Hi
Thomas
I have tried all the different ways I can think of but I cant get this to
work. Here is the section of code that I am tryng to change to incorporate
you asp into

<%
'First we create a connection object
Set Conn = Server.CreateObject("ADODB.Connection")

'Next, we open the connection object by calling the connection string
'that FrontPage created and stored in the global.asa file when the "store"
'connection was created
Conn.Open Application("removed for this post ConnectionString")

'Then we create a record set object and a SQL statement
Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
Request.Form("pass_word") & "'")

Thanks Thomas
 
T

Thomas A. Rowe

Paul, try the following:

<%
User = Trim(Replace(Request.Form("user_name"), "'", "''"))
Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))

Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open Application("removed for this post ConnectionString")
Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE user_name = '" & User & "'
AND pass_word = '" & Pword & "'")

%>

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
S

Stefan B Rusynko

Change it to

<%
Dim User, Pword, strSQL
User = Trim(Replace(Request.Form("user_name"), "'", "''"))
Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" & User & "' AND pass_word= ' " & Pword & "'"

Dim Conn_Name
Conn_Name = Application("removed for this post ConnectionString")
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open Conn_Name
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSql, Conn_Name
If objRS.EOF Then
'NOT Authenticated Action here
Else
'Authenticated Action here
End If
%>

--




| Hi
| Thomas
| I have tried all the different ways I can think of but I cant get this to
| work. Here is the section of code that I am tryng to change to incorporate
| you asp into
|
| <%
| 'First we create a connection object
| Set Conn = Server.CreateObject("ADODB.Connection")
|
| 'Next, we open the connection object by calling the connection string
| 'that FrontPage created and stored in the global.asa file when the "store"
| 'connection was created
| Conn.Open Application("removed for this post ConnectionString")
|
| 'Then we create a record set object and a SQL statement
| Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
| user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| Request.Form("pass_word") & "'")
|
| Thanks Thomas
|
|
| | > Thank you so much Thomas
| > Paul M
| >
| > | >> User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| >> Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| >>
| >>
| >> SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND
| >> pass_word= '" & Pword & "'"
| >>
| >> --
| >> ==============================================
| >> Thomas A. Rowe (Microsoft MVP - FrontPage)
| >> ==============================================
| >> If you feel your current issue is a results of installing
| >> a Service Pack or security update, please contact
| >> Microsoft Product Support Services:
| >> http://support.microsoft.com
| >> If the problem can be shown to have been caused by a
| >> security update, then there is usually no charge for the call.
| >> ==============================================
| >>
| >> | >>> Hi Thomas
| >>> Is it so even if you can use the password protected pages again without
| >>> having to login?
| >>> The fields I use are "user_name" and "pass_word" these are the fields
| >>> the query searches
| >>> I would really appreciate it it you could help by showing your example
| >>> with my fields in as i don't quete grasp some of the names you use Pword
| >>> or password and where to substitute my field names
| >>> Thanks Thomas
| >>> I only discovered sql injection today and i find it worying
| >>> Paul M
| >>>
| >>> | >>>>I don't understand why the logonvalidate.asp page is written to loop
| >>>>thru the recordset, as the only thing that needs to happen is that
| >>>>login/password combination is valid, and then set a session to indicate
| >>>>login status and then redirect the user to protected content, etc.
| >>>>
| >>>> There is no reason to store the username or password in a session.
| >>>>
| >>>> --
| >>>> ==============================================
| >>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| >>>> ==============================================
| >>>> If you feel your current issue is a results of installing
| >>>> a Service Pack or security update, please contact
| >>>> Microsoft Product Support Services:
| >>>> http://support.microsoft.com
| >>>> If the problem can be shown to have been caused by a
| >>>> security update, then there is usually no charge for the call.
| >>>> ==============================================
| >>>>
| >>>> | >>>>> Thanks Thomas
| >>>>> The main issue is some third party script that I use to password
| >>>>> protect pages
| >>>>> http://www.frontpagehowto.com/newpassword/default.asp#logon
| >>>>> I need to validate the logonvalidate.asp so it wont accept certain
| >>>>> chars
| >>>>> I can put 'or 'a'='a in the username and password field and it
| >>>>> accepts this as a valid username or password
| >>>>> Paul M
| >>>>>
| >>>>> | >>>>>> Paul, the main issue when using Access would be at a minimum, the
| >>>>>> single quote, as SQL Injection is dependent on the database and the
| >>>>>> driver.
| >>>>>>
| >>>>>> This is what I generally use:
| >>>>>>
| >>>>>> User = Trim(Replace(Request.Form("UserID"), "'", "''"))
| >>>>>> Pword = Trim(Replace(Request.Form("Password"), "'", "''"))
| >>>>>>
| >>>>>> SELECT * FROM LoginTable WHERE Login='" & User & "' AND Password= '"
| >>>>>> & Pword & "'"
| >>>>>>
| >>>>>> --
| >>>>>> ==============================================
| >>>>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| >>>>>> ==============================================
| >>>>>> If you feel your current issue is a results of installing
| >>>>>> a Service Pack or security update, please contact
| >>>>>> Microsoft Product Support Services:
| >>>>>> http://support.microsoft.com
| >>>>>> If the problem can be shown to have been caused by a
| >>>>>> security update, then there is usually no charge for the call.
| >>>>>> ==============================================
| >>>>>>
| >>>>>> | >>>>>>> Hi
| >>>>>>> This is still driving me mad
| >>>>>>> I have a form Which with username and password fields.the form
| >>>>>>> submits to a login validation asp script
| >>>>>>> To stop SQL injection I need to Filter out server side character
| >>>>>>> like single quote, double quote, slash, back slash, semi colon,
| >>>>>>> extended character like NULL, carry return, new line, etc,
| >>>>>>> I know I need to add some validation asp script to the validation
| >>>>>>> asp page but I have been looking on the web and I can't find any
| >>>>>>> tutorials
| >>>>>>> Please help this one is driving me insane
| >>>>>>> Paul M
| >>>>>>>
| >>>>>>
| >>>>>>
| >>>>>
| >>>>>
| >>>>
| >>>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
 
P

Paul M

Dear Thomas
I now get an error. here is how I have inserted the code

<%
'First we create a connection object
Set Conn = Server.CreateObject("ADODB.Connection")

'Next, we open the connection object by calling the connection string
'that FrontPage created and stored in the global.asa file when the "store"
'connection was created

User = Trim(Replace(Request.Form("user_name"), "'", "''"))
Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))

Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open Application("databasesearch2ConnectionString")
Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
user_name = '" & User & "'
AND pass_word = '" & Pword & "'")

'Loop through the database to check for the users information
Do until RS.EOF
Pass = RS("pass_word")
Name = RS("user_name")
RS.MoveNext
loop

'Close the recordset and database connection
RS.Close
Conn.Close

'If the password given is not in the database then we don't do anything.
'Otherwise, we create the session objects
IF pass = "" Then
Message = "The Password you entered is either wrong or not found in our
database. Please press the BACK button and try again or if you have not yet
created a username and password then click on the registration link."
Else
Session("password") = Pass
Session("username") = Name

'Now we will check to see it there is a session object for an original URL.
'This would have been created (as you will see later) if the user first
tried
'to visit a protected page. If so, we send them there. If not, we stay here.
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session("Ori_URL"))
End IF
End IF
%>
 
T

Thomas A. Rowe

See Stefan solution.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Dear Stefan
I get this page cannot be diplayed error here is where i have put the code
and the rest of it

<%
Dim User, Pword, strSQL
User = Trim(Replace(Request.Form("user_name"), "'", "''"))
Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" & User
& "' AND pass_word= ' " & Pword & "'"

Dim Conn_Name
Conn_Name = Application("databasesearch2ConnectionString")
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.Open Conn_Name
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSql, Conn_Name
If objRS.EOF Then
'NOT Authenticated Action here
Else
'Authenticated Action here
End If


'Loop through the database to check for the users information
Do until RS.EOF
Pass = RS("pass_word")
Name = RS("user_name")
RS.MoveNext
loop

'Close the recordset and database connection
RS.Close
Conn.Close

'If the password given is not in the database then we don't do anything.
'Otherwise, we create the session objects
IF pass = "" Then
Message = "The Password you entered is either wrong or not found in our
database. Please press the BACK button and try again or if you have not yet
created a username and password then click on the registration link."
Else
Session("password") = Pass
Session("username") = Name

'Now we will check to see it there is a session object for an original URL.
'This would have been created (as you will see later) if the user first
tried
'to visit a protected page. If so, we send them there. If not, we stay here.
IF Session("Ori_URL") = "" Then 'do nothing
Else
Response.redirect(session("Ori_URL"))
End IF
End IF
%>


Paul M
 
T

Thomas A. Rowe

Paul,

Have you considered contacting the original author of the script, to ask them explain how to
eliminate SQL Injection issues?

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Thanks Thomas I have asked them
Is the syntax ok with the way I have added the code?
I have tried functions from websites to filter certain chars and I can't get
them to work either
Paul M
 
T

Thomas A. Rowe

I would have to re-write the entire script/application to be in the format that I code in.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
S

Stefan B Rusynko

That is a pretty poor log in script w/ lots of errors (to many conditions in it can fail and are undefined) and your Do loop at the
bottom is not necessary (it is replaced by the If Then Else I gave you)

See my inline comments below in your code (areas starting w/ a *)

IMHO
spend some time studying and understanding and VBscript and ASP code before you just paste and copy
- hopefully the DB data does not have anything of critical security in it if you use that script as you now have it
--




| Dear Stefan
| I get this page cannot be diplayed error here is where i have put the code
| and the rest of it

*IMHO that's because of your poor code which sends them noplace

| <%
| Dim User, Pword, strSQL
| User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" & User
| & "' AND pass_word= ' " & Pword & "'"
|
| Dim Conn_Name
| Conn_Name = Application("databasesearch2ConnectionString")
| Set Conn = Server.CreateObject("ADODB.Connection")
| Conn.Open Conn_Name
| Set objRS = Server.CreateObject("ADODB.Recordset")
| objRS.Open strSql, Conn_Name
| If objRS.EOF Then
| 'NOT Authenticated Action here

*This is where you would response write your Message (if it is to be displayed in a validation.asp page)

Message = "The Password you entered is either wrong or not found in our
database. Please press the BACK button and try again or if you have not yet
created a username and password then click on the registration link."
' above all on 1 line
Response.write Message 'Display the message

| Else
| 'Authenticated Action here

*This is where you would write your authenticated session variables using the variable names from above (User and Pword) and
redirect them
(using your bad session variables from below only if used on other pages - see comments below)

Session("password") = Pword
' Or you can use: Session("password") = objRS("pass_word")
Session("username") = User
' Or you can use: Session("username") = objRS("user_name")
If session("Ori_URL")) ="" Then
Response.redirect "someotherpage.asp"
'always send an authenticated user to some valid page
Else
Response.redirect(session("Ori_URL"))
End If

| End If
|

*DELETE all of this loop - replaced by the IF above
(and you have not opened RS - you have opened objRS in above code

| 'Loop through the database to check for the users information
| Do until RS.EOF

*Note: Poor code to use a loop when the DB should only ever find (or fail to find) just 1 record in any login script

| Pass = RS("pass_word")
| Name = RS("user_name")
| RS.MoveNext
| loop

|
| 'Close the recordset and database connection

*You have not opened RS so you can't close it, you have opened objRS in above code

objRS.Close

| 'RS.Close 'DELETE
| Conn.Close
|
| 'If the password given is not in the database then we don't do anything.
| 'Otherwise, we create the session objects

*VBscript is case sensitive so "pass" is not the same as "Pass" so this IF will always fail to the Else and authenticate anyone!
Empty values in the form password and usernames should be checked before you even attempt to open the DB

| IF pass = "" Then
| Message = "The Password you entered is either wrong or not found in our
| database. Please press the BACK button and try again or if you have not yet
| created a username and password then click on the registration link."

*What does this Message string do?
- nothing unless you Response write it to the page

| Else

| Session("password") = Pass
| Session("username") = Name

Poor "security" to drag the username and password along a session variables
- that means, unless you kill the session varibles, any one else w/ access to the PC may be able to get in until the sesssion times
out or browser is closed (session killed)
- Change the code on your other pages to not use them

|
| 'Now we will check to see it there is a session object for an original URL.
| 'This would have been created (as you will see later) if the user first tried
| 'to visit a protected page. If so, we send them there. If not, we stay here.
| IF Session("Ori_URL") = "" Then 'do nothing

Poor code approach - they are stuck on a page w/ no where to go if Session("Ori_URL") doesn't exist
- what if they came from the log in page will you send them back there?
- send them someplace other than back to the log in page or the validation page if they are authenticated

| Else

| Response.redirect(session("Ori_URL"))

See my above If statement

| End IF
| End IF
| %>
|
|
| Paul M
|
|
| | > Change it to
| >
| > <%
| > Dim User, Pword, strSQL
| > User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
| > User & "' AND pass_word= ' " & Pword & "'"
| >
| > Dim Conn_Name
| > Conn_Name = Application("removed for this post ConnectionString")
| > Set Conn = Server.CreateObject("ADODB.Connection")
| > Conn.Open Conn_Name
| > Set objRS = Server.CreateObject("ADODB.Recordset")
| > objRS.Open strSql, Conn_Name
| > If objRS.EOF Then
| > 'NOT Authenticated Action here
| > Else
| > 'Authenticated Action here
| > End If
| > %>
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi
| > | Thomas
| > | I have tried all the different ways I can think of but I cant get this
| > to
| > | work. Here is the section of code that I am tryng to change to
| > incorporate
| > | you asp into
| > |
| > | <%
| > | 'First we create a connection object
| > | Set Conn = Server.CreateObject("ADODB.Connection")
| > |
| > | 'Next, we open the connection object by calling the connection string
| > | 'that FrontPage created and stored in the global.asa file when the
| > "store"
| > | 'connection was created
| > | Conn.Open Application("removed for this post ConnectionString")
| > |
| > | 'Then we create a record set object and a SQL statement
| > | Set RS = Conn.Execute ("SELECT user_name, pass_word From Results WHERE
| > | user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| > | Request.Form("pass_word") & "'")
| > |
| > | Thanks Thomas
| > |
| > |
| > | | > | > Thank you so much Thomas
| > | > Paul M
| > | >
| > | > | > | >> User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | >> Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | >>
| > | >>
| > | >> SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND
| > | >> pass_word= '" & Pword & "'"
| > | >>
| > | >> --
| > | >> ==============================================
| > | >> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | >> ==============================================
| > | >> If you feel your current issue is a results of installing
| > | >> a Service Pack or security update, please contact
| > | >> Microsoft Product Support Services:
| > | >> http://support.microsoft.com
| > | >> If the problem can be shown to have been caused by a
| > | >> security update, then there is usually no charge for the call.
| > | >> ==============================================
| > | >>
| > | >> | > | >>> Hi Thomas
| > | >>> Is it so even if you can use the password protected pages again
| > without
| > | >>> having to login?
| > | >>> The fields I use are "user_name" and "pass_word" these are the
| > fields
| > | >>> the query searches
| > | >>> I would really appreciate it it you could help by showing your
| > example
| > | >>> with my fields in as i don't quete grasp some of the names you use
| > Pword
| > | >>> or password and where to substitute my field names
| > | >>> Thanks Thomas
| > | >>> I only discovered sql injection today and i find it worying
| > | >>> Paul M
| > | >>>
| > | >>> | > | >>>>I don't understand why the logonvalidate.asp page is written to loop
| > | >>>>thru the recordset, as the only thing that needs to happen is that
| > | >>>>login/password combination is valid, and then set a session to
| > indicate
| > | >>>>login status and then redirect the user to protected content, etc.
| > | >>>>
| > | >>>> There is no reason to store the username or password in a session.
| > | >>>>
| > | >>>> --
| > | >>>> ==============================================
| > | >>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | >>>> ==============================================
| > | >>>> If you feel your current issue is a results of installing
| > | >>>> a Service Pack or security update, please contact
| > | >>>> Microsoft Product Support Services:
| > | >>>> http://support.microsoft.com
| > | >>>> If the problem can be shown to have been caused by a
| > | >>>> security update, then there is usually no charge for the call.
| > | >>>> ==============================================
| > | >>>>
| > | >>>> | > | >>>>> Thanks Thomas
| > | >>>>> The main issue is some third party script that I use to password
| > | >>>>> protect pages
| > | >>>>> http://www.frontpagehowto.com/newpassword/default.asp#logon
| > | >>>>> I need to validate the logonvalidate.asp so it wont accept
| > certain
| > | >>>>> chars
| > | >>>>> I can put 'or 'a'='a in the username and password field and it
| > | >>>>> accepts this as a valid username or password
| > | >>>>> Paul M
| > | >>>>>
| > | >>>>> | > | >>>>>> Paul, the main issue when using Access would be at a minimum, the
| > | >>>>>> single quote, as SQL Injection is dependent on the database and
| > the
| > | >>>>>> driver.
| > | >>>>>>
| > | >>>>>> This is what I generally use:
| > | >>>>>>
| > | >>>>>> User = Trim(Replace(Request.Form("UserID"), "'", "''"))
| > | >>>>>> Pword = Trim(Replace(Request.Form("Password"), "'", "''"))
| > | >>>>>>
| > | >>>>>> SELECT * FROM LoginTable WHERE Login='" & User & "' AND Password=
| > '"
| > | >>>>>> & Pword & "'"
| > | >>>>>>
| > | >>>>>> --
| > | >>>>>> ==============================================
| > | >>>>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | >>>>>> ==============================================
| > | >>>>>> If you feel your current issue is a results of installing
| > | >>>>>> a Service Pack or security update, please contact
| > | >>>>>> Microsoft Product Support Services:
| > | >>>>>> http://support.microsoft.com
| > | >>>>>> If the problem can be shown to have been caused by a
| > | >>>>>> security update, then there is usually no charge for the call.
| > | >>>>>> ==============================================
| > | >>>>>>
| > | >>>>>> | > | >>>>>>> Hi
| > | >>>>>>> This is still driving me mad
| > | >>>>>>> I have a form Which with username and password fields.the form
| > | >>>>>>> submits to a login validation asp script
| > | >>>>>>> To stop SQL injection I need to Filter out server side character
| > | >>>>>>> like single quote, double quote, slash, back slash, semi colon,
| > | >>>>>>> extended character like NULL, carry return, new line, etc,
| > | >>>>>>> I know I need to add some validation asp script to the
| > validation
| > | >>>>>>> asp page but I have been looking on the web and I can't find any
| > | >>>>>>> tutorials
| > | >>>>>>> Please help this one is driving me insane
| > | >>>>>>> Paul M
| > | >>>>>>>
| > | >>>>>>
| > | >>>>>>
| > | >>>>>
| > | >>>>>
| > | >>>>
| > | >>>>
| > | >>>
| > | >>>
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 
P

Paul M

Thanks Stefan
I am not a web designer I created a website for myself
http://www.paulcmilner.co.uk/ then promised to do a web for my wife who was
let down several times by people but it grew into a database application
The project is now near completion except I discovered SQL injection which
makes this login/page protection a joke.
Can you point me in the right direction of some code/tutorial which I can
modify so I can get back to my real job
Thanks
Paul M


Stefan B Rusynko said:
That is a pretty poor log in script w/ lots of errors (to many conditions
in it can fail and are undefined) and your Do loop at the
bottom is not necessary (it is replaced by the If Then Else I gave you)

See my inline comments below in your code (areas starting w/ a *)

IMHO
spend some time studying and understanding and VBscript and ASP code
before you just paste and copy
- hopefully the DB data does not have anything of critical security in it
if you use that script as you now have it
--




| Dear Stefan
| I get this page cannot be diplayed error here is where i have put the
code
| and the rest of it

*IMHO that's because of your poor code which sends them noplace

| <%
| Dim User, Pword, strSQL
| User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
User
| & "' AND pass_word= ' " & Pword & "'"
|
| Dim Conn_Name
| Conn_Name = Application("databasesearch2ConnectionString")
| Set Conn = Server.CreateObject("ADODB.Connection")
| Conn.Open Conn_Name
| Set objRS = Server.CreateObject("ADODB.Recordset")
| objRS.Open strSql, Conn_Name
| If objRS.EOF Then
| 'NOT Authenticated Action here

*This is where you would response write your Message (if it is to be
displayed in a validation.asp page)

Message = "The Password you entered is either wrong or not found in our
database. Please press the BACK button and try again or if you have not
yet
created a username and password then click on the registration link."
' above all on 1 line
Response.write Message 'Display the message

| Else
| 'Authenticated Action here

*This is where you would write your authenticated session variables using
the variable names from above (User and Pword) and
redirect them
(using your bad session variables from below only if used on other pages -
see comments below)

Session("password") = Pword
' Or you can use: Session("password") = objRS("pass_word")
Session("username") = User
' Or you can use: Session("username") = objRS("user_name")
If session("Ori_URL")) ="" Then
Response.redirect "someotherpage.asp"
'always send an authenticated user to some valid page
Else
Response.redirect(session("Ori_URL"))
End If

| End If
|

*DELETE all of this loop - replaced by the IF above
(and you have not opened RS - you have opened objRS in above code

| 'Loop through the database to check for the users information
| Do until RS.EOF

*Note: Poor code to use a loop when the DB should only ever find (or fail
to find) just 1 record in any login script

| Pass = RS("pass_word")
| Name = RS("user_name")
| RS.MoveNext
| loop

|
| 'Close the recordset and database connection

*You have not opened RS so you can't close it, you have opened objRS in
above code

objRS.Close

| 'RS.Close 'DELETE
| Conn.Close
|
| 'If the password given is not in the database then we don't do anything.
| 'Otherwise, we create the session objects

*VBscript is case sensitive so "pass" is not the same as "Pass" so this IF
will always fail to the Else and authenticate anyone!
Empty values in the form password and usernames should be checked before
you even attempt to open the DB

| IF pass = "" Then
| Message = "The Password you entered is either wrong or not found in our
| database. Please press the BACK button and try again or if you have not
yet
| created a username and password then click on the registration link."

*What does this Message string do?
- nothing unless you Response write it to the page

| Else

| Session("password") = Pass
| Session("username") = Name

Poor "security" to drag the username and password along a session
variables
- that means, unless you kill the session varibles, any one else w/ access
to the PC may be able to get in until the sesssion times
out or browser is closed (session killed)
- Change the code on your other pages to not use them

|
| 'Now we will check to see it there is a session object for an original
URL.
| 'This would have been created (as you will see later) if the user first
tried
| 'to visit a protected page. If so, we send them there. If not, we stay
here.
| IF Session("Ori_URL") = "" Then 'do nothing

Poor code approach - they are stuck on a page w/ no where to go if
Session("Ori_URL") doesn't exist
- what if they came from the log in page will you send them back there?
- send them someplace other than back to the log in page or the validation
page if they are authenticated

| Else

| Response.redirect(session("Ori_URL"))

See my above If statement

| End IF
| End IF
| %>
|
|
| Paul M
|
|
| | > Change it to
| >
| > <%
| > Dim User, Pword, strSQL
| > User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
| > User & "' AND pass_word= ' " & Pword & "'"
| >
| > Dim Conn_Name
| > Conn_Name = Application("removed for this post ConnectionString")
| > Set Conn = Server.CreateObject("ADODB.Connection")
| > Conn.Open Conn_Name
| > Set objRS = Server.CreateObject("ADODB.Recordset")
| > objRS.Open strSql, Conn_Name
| > If objRS.EOF Then
| > 'NOT Authenticated Action here
| > Else
| > 'Authenticated Action here
| > End If
| > %>
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi
| > | Thomas
| > | I have tried all the different ways I can think of but I cant get
this
| > to
| > | work. Here is the section of code that I am tryng to change to
| > incorporate
| > | you asp into
| > |
| > | <%
| > | 'First we create a connection object
| > | Set Conn = Server.CreateObject("ADODB.Connection")
| > |
| > | 'Next, we open the connection object by calling the connection
string
| > | 'that FrontPage created and stored in the global.asa file when the
| > "store"
| > | 'connection was created
| > | Conn.Open Application("removed for this post ConnectionString")
| > |
| > | 'Then we create a record set object and a SQL statement
| > | Set RS = Conn.Execute ("SELECT user_name, pass_word From Results
WHERE
| > | user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| > | Request.Form("pass_word") & "'")
| > |
| > | Thanks Thomas
| > |
| > |
| > | | > | > Thank you so much Thomas
| > | > Paul M
| > | >
| > | > | > | >> User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | >> Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | >>
| > | >>
| > | >> SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND
| > | >> pass_word= '" & Pword & "'"
| > | >>
| > | >> --
| > | >> ==============================================
| > | >> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | >> ==============================================
| > | >> If you feel your current issue is a results of installing
| > | >> a Service Pack or security update, please contact
| > | >> Microsoft Product Support Services:
| > | >> http://support.microsoft.com
| > | >> If the problem can be shown to have been caused by a
| > | >> security update, then there is usually no charge for the call.
| > | >> ==============================================
| > | >>
| > | >> | > | >>> Hi Thomas
| > | >>> Is it so even if you can use the password protected pages again
| > without
| > | >>> having to login?
| > | >>> The fields I use are "user_name" and "pass_word" these are the
| > fields
| > | >>> the query searches
| > | >>> I would really appreciate it it you could help by showing your
| > example
| > | >>> with my fields in as i don't quete grasp some of the names you
use
| > Pword
| > | >>> or password and where to substitute my field names
| > | >>> Thanks Thomas
| > | >>> I only discovered sql injection today and i find it worying
| > | >>> Paul M
| > | >>>
| > | >>> | > | >>>>I don't understand why the logonvalidate.asp page is written to
loop
| > | >>>>thru the recordset, as the only thing that needs to happen is
that
| > | >>>>login/password combination is valid, and then set a session to
| > indicate
| > | >>>>login status and then redirect the user to protected content,
etc.
| > | >>>>
| > | >>>> There is no reason to store the username or password in a
session.
| > | >>>>
| > | >>>> --
| > | >>>> ==============================================
| > | >>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | >>>> ==============================================
| > | >>>> If you feel your current issue is a results of installing
| > | >>>> a Service Pack or security update, please contact
| > | >>>> Microsoft Product Support Services:
| > | >>>> http://support.microsoft.com
| > | >>>> If the problem can be shown to have been caused by a
| > | >>>> security update, then there is usually no charge for the call.
| > | >>>> ==============================================
| > | >>>>
| > | >>>> | > | >>>>> Thanks Thomas
| > | >>>>> The main issue is some third party script that I use to
password
| > | >>>>> protect pages
| > | >>>>> http://www.frontpagehowto.com/newpassword/default.asp#logon
| > | >>>>> I need to validate the logonvalidate.asp so it wont accept
| > certain
| > | >>>>> chars
| > | >>>>> I can put 'or 'a'='a in the username and password field and
it
| > | >>>>> accepts this as a valid username or password
| > | >>>>> Paul M
| > | >>>>>
| > | >>>>> | > | >>>>>> Paul, the main issue when using Access would be at a minimum,
the
| > | >>>>>> single quote, as SQL Injection is dependent on the database
and
| > the
| > | >>>>>> driver.
| > | >>>>>>
| > | >>>>>> This is what I generally use:
| > | >>>>>>
| > | >>>>>> User = Trim(Replace(Request.Form("UserID"), "'", "''"))
| > | >>>>>> Pword = Trim(Replace(Request.Form("Password"), "'", "''"))
| > | >>>>>>
| > | >>>>>> SELECT * FROM LoginTable WHERE Login='" & User & "' AND
Password=
| > '"
| > | >>>>>> & Pword & "'"
| > | >>>>>>
| > | >>>>>> --
| > | >>>>>> ==============================================
| > | >>>>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | >>>>>> ==============================================
| > | >>>>>> If you feel your current issue is a results of installing
| > | >>>>>> a Service Pack or security update, please contact
| > | >>>>>> Microsoft Product Support Services:
| > | >>>>>> http://support.microsoft.com
| > | >>>>>> If the problem can be shown to have been caused by a
| > | >>>>>> security update, then there is usually no charge for the
call.
| > | >>>>>> ==============================================
| > | >>>>>>
| > | >>>>>> | > | >>>>>>> Hi
| > | >>>>>>> This is still driving me mad
| > | >>>>>>> I have a form Which with username and password fields.the
form
| > | >>>>>>> submits to a login validation asp script
| > | >>>>>>> To stop SQL injection I need to Filter out server side
character
| > | >>>>>>> like single quote, double quote, slash, back slash, semi
colon,
| > | >>>>>>> extended character like NULL, carry return, new line, etc,
| > | >>>>>>> I know I need to add some validation asp script to the
| > validation
| > | >>>>>>> asp page but I have been looking on the web and I can't find
any
| > | >>>>>>> tutorials
| > | >>>>>>> Please help this one is driving me insane
| > | >>>>>>> Paul M
| > | >>>>>>>
| > | >>>>>>
| > | >>>>>>
| > | >>>>>
| > | >>>>>
| > | >>>>
| > | >>>>
| > | >>>
| > | >>>
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Click to expand...
 
S

Stefan B Rusynko

As Thomas has indicated you need to relook the whole structure of your authentication
You can't just take a little from here or there and use it w/o integrating it to:
- manage the "secure" pages (check for authentication status on each page)
- manage the login (authenticate users w/ correct credentials and prevent "hacking")
- manage the users (create user credentials which let them authenticate)

You can look at
http://www.w3schools.com/asp/default.asp
Or to manage a DB w/ authentication see
http://support.microsoft.com/default.aspx?scid=321439


--




| Thanks Stefan
| I am not a web designer I created a website for myself
| http://www.paulcmilner.co.uk/ then promised to do a web for my wife who was
| let down several times by people but it grew into a database application
| The project is now near completion except I discovered SQL injection which
| makes this login/page protection a joke.
| Can you point me in the right direction of some code/tutorial which I can
| modify so I can get back to my real job
| Thanks
| Paul M
|
|
| | > That is a pretty poor log in script w/ lots of errors (to many conditions
| > in it can fail and are undefined) and your Do loop at the
| > bottom is not necessary (it is replaced by the If Then Else I gave you)
| >
| > See my inline comments below in your code (areas starting w/ a *)
| >
| > IMHO
| > spend some time studying and understanding and VBscript and ASP code
| > before you just paste and copy
| > - hopefully the DB data does not have anything of critical security in it
| > if you use that script as you now have it
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Dear Stefan
| > | I get this page cannot be diplayed error here is where i have put the
| > code
| > | and the rest of it
| >
| > *IMHO that's because of your poor code which sends them noplace
| >
| > | <%
| > | Dim User, Pword, strSQL
| > | User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
| > User
| > | & "' AND pass_word= ' " & Pword & "'"
| > |
| > | Dim Conn_Name
| > | Conn_Name = Application("databasesearch2ConnectionString")
| > | Set Conn = Server.CreateObject("ADODB.Connection")
| > | Conn.Open Conn_Name
| > | Set objRS = Server.CreateObject("ADODB.Recordset")
| > | objRS.Open strSql, Conn_Name
| > | If objRS.EOF Then
| > | 'NOT Authenticated Action here
| >
| > *This is where you would response write your Message (if it is to be
| > displayed in a validation.asp page)
| >
| > Message = "The Password you entered is either wrong or not found in our
| > database. Please press the BACK button and try again or if you have not
| > yet
| > created a username and password then click on the registration link."
| > ' above all on 1 line
| > Response.write Message 'Display the message
| >
| > | Else
| > | 'Authenticated Action here
| >
| > *This is where you would write your authenticated session variables using
| > the variable names from above (User and Pword) and
| > redirect them
| > (using your bad session variables from below only if used on other pages -
| > see comments below)
| >
| > Session("password") = Pword
| > ' Or you can use: Session("password") = objRS("pass_word")
| > Session("username") = User
| > ' Or you can use: Session("username") = objRS("user_name")
| > If session("Ori_URL")) ="" Then
| > Response.redirect "someotherpage.asp"
| > 'always send an authenticated user to some valid page
| > Else
| > Response.redirect(session("Ori_URL"))
| > End If
| >
| > | End If
| > |
| >
| > *DELETE all of this loop - replaced by the IF above
| > (and you have not opened RS - you have opened objRS in above code
| >
| > | 'Loop through the database to check for the users information
| > | Do until RS.EOF
| >
| > *Note: Poor code to use a loop when the DB should only ever find (or fail
| > to find) just 1 record in any login script
| >
| > | Pass = RS("pass_word")
| > | Name = RS("user_name")
| > | RS.MoveNext
| > | loop
| >
| > |
| > | 'Close the recordset and database connection
| >
| > *You have not opened RS so you can't close it, you have opened objRS in
| > above code
| >
| > objRS.Close
| >
| > | 'RS.Close 'DELETE
| > | Conn.Close
| > |
| > | 'If the password given is not in the database then we don't do anything.
| > | 'Otherwise, we create the session objects
| >
| > *VBscript is case sensitive so "pass" is not the same as "Pass" so this IF
| > will always fail to the Else and authenticate anyone!
| > Empty values in the form password and usernames should be checked before
| > you even attempt to open the DB
| >
| > | IF pass = "" Then
| > | Message = "The Password you entered is either wrong or not found in our
| > | database. Please press the BACK button and try again or if you have not
| > yet
| > | created a username and password then click on the registration link."
| >
| > *What does this Message string do?
| > - nothing unless you Response write it to the page
| >
| > | Else
| >
| > | Session("password") = Pass
| > | Session("username") = Name
| >
| > Poor "security" to drag the username and password along a session
| > variables
| > - that means, unless you kill the session varibles, any one else w/ access
| > to the PC may be able to get in until the sesssion times
| > out or browser is closed (session killed)
| > - Change the code on your other pages to not use them
| >
| > |
| > | 'Now we will check to see it there is a session object for an original
| > URL.
| > | 'This would have been created (as you will see later) if the user first
| > tried
| > | 'to visit a protected page. If so, we send them there. If not, we stay
| > here.
| > | IF Session("Ori_URL") = "" Then 'do nothing
| >
| > Poor code approach - they are stuck on a page w/ no where to go if
| > Session("Ori_URL") doesn't exist
| > - what if they came from the log in page will you send them back there?
| > - send them someplace other than back to the log in page or the validation
| > page if they are authenticated
| >
| > | Else
| >
| > | Response.redirect(session("Ori_URL"))
| >
| > See my above If statement
| >
| > | End IF
| > | End IF
| > | %>
| > |
| > |
| > | Paul M
| > |
| > |
| > | | > | > Change it to
| > | >
| > | > <%
| > | > Dim User, Pword, strSQL
| > | > User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | > Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | > strSQL= "SELECT user_name, pass_word FROM Results WHERE user_name='" &
| > | > User & "' AND pass_word= ' " & Pword & "'"
| > | >
| > | > Dim Conn_Name
| > | > Conn_Name = Application("removed for this post ConnectionString")
| > | > Set Conn = Server.CreateObject("ADODB.Connection")
| > | > Conn.Open Conn_Name
| > | > Set objRS = Server.CreateObject("ADODB.Recordset")
| > | > objRS.Open strSql, Conn_Name
| > | > If objRS.EOF Then
| > | > 'NOT Authenticated Action here
| > | > Else
| > | > 'Authenticated Action here
| > | > End If
| > | > %>
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi
| > | > | Thomas
| > | > | I have tried all the different ways I can think of but I cant get
| > this
| > | > to
| > | > | work. Here is the section of code that I am tryng to change to
| > | > incorporate
| > | > | you asp into
| > | > |
| > | > | <%
| > | > | 'First we create a connection object
| > | > | Set Conn = Server.CreateObject("ADODB.Connection")
| > | > |
| > | > | 'Next, we open the connection object by calling the connection
| > string
| > | > | 'that FrontPage created and stored in the global.asa file when the
| > | > "store"
| > | > | 'connection was created
| > | > | Conn.Open Application("removed for this post ConnectionString")
| > | > |
| > | > | 'Then we create a record set object and a SQL statement
| > | > | Set RS = Conn.Execute ("SELECT user_name, pass_word From Results
| > WHERE
| > | > | user_name = '" & Request.Form("user_name") & "' AND pass_word = '" &
| > | > | Request.Form("pass_word") & "'")
| > | > |
| > | > | Thanks Thomas
| > | > |
| > | > |
| > | > | | > | > | > Thank you so much Thomas
| > | > | > Paul M
| > | > | >
| > | > | > | > | > | >> User = Trim(Replace(Request.Form("user_name"), "'", "''"))
| > | > | >> Pword = Trim(Replace(Request.Form("pass_word"), "'", "''"))
| > | > | >>
| > | > | >>
| > | > | >> SELECT * FROM LoginTableName WHERE user_name='" & User & "' AND
| > | > | >> pass_word= '" & Pword & "'"
| > | > | >>
| > | > | >> --
| > | > | >> ==============================================
| > | > | >> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | >> ==============================================
| > | > | >> If you feel your current issue is a results of installing
| > | > | >> a Service Pack or security update, please contact
| > | > | >> Microsoft Product Support Services:
| > | > | >> http://support.microsoft.com
| > | > | >> If the problem can be shown to have been caused by a
| > | > | >> security update, then there is usually no charge for the call.
| > | > | >> ==============================================
| > | > | >>
| > | > | >> | > | > | >>> Hi Thomas
| > | > | >>> Is it so even if you can use the password protected pages again
| > | > without
| > | > | >>> having to login?
| > | > | >>> The fields I use are "user_name" and "pass_word" these are the
| > | > fields
| > | > | >>> the query searches
| > | > | >>> I would really appreciate it it you could help by showing your
| > | > example
| > | > | >>> with my fields in as i don't quete grasp some of the names you
| > use
| > | > Pword
| > | > | >>> or password and where to substitute my field names
| > | > | >>> Thanks Thomas
| > | > | >>> I only discovered sql injection today and i find it worying
| > | > | >>> Paul M
| > | > | >>>
| > | > | >>> | > | > | >>>>I don't understand why the logonvalidate.asp page is written to
| > loop
| > | > | >>>>thru the recordset, as the only thing that needs to happen is
| > that
| > | > | >>>>login/password combination is valid, and then set a session to
| > | > indicate
| > | > | >>>>login status and then redirect the user to protected content,
| > etc.
| > | > | >>>>
| > | > | >>>> There is no reason to store the username or password in a
| > session.
| > | > | >>>>
| > | > | >>>> --
| > | > | >>>> ==============================================
| > | > | >>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | >>>> ==============================================
| > | > | >>>> If you feel your current issue is a results of installing
| > | > | >>>> a Service Pack or security update, please contact
| > | > | >>>> Microsoft Product Support Services:
| > | > | >>>> http://support.microsoft.com
| > | > | >>>> If the problem can be shown to have been caused by a
| > | > | >>>> security update, then there is usually no charge for the call.
| > | > | >>>> ==============================================
| > | > | >>>>
| > | > | >>>> | > | > | >>>>> Thanks Thomas
| > | > | >>>>> The main issue is some third party script that I use to
| > password
| > | > | >>>>> protect pages
| > | > | >>>>> http://www.frontpagehowto.com/newpassword/default.asp#logon
| > | > | >>>>> I need to validate the logonvalidate.asp so it wont accept
| > | > certain
| > | > | >>>>> chars
| > | > | >>>>> I can put 'or 'a'='a in the username and password field and
| > it
| > | > | >>>>> accepts this as a valid username or password
| > | > | >>>>> Paul M
| > | > | >>>>>
| > | > | >>>>> | > | > | >>>>>> Paul, the main issue when using Access would be at a minimum,
| > the
| > | > | >>>>>> single quote, as SQL Injection is dependent on the database
| > and
| > | > the
| > | > | >>>>>> driver.
| > | > | >>>>>>
| > | > | >>>>>> This is what I generally use:
| > | > | >>>>>>
| > | > | >>>>>> User = Trim(Replace(Request.Form("UserID"), "'", "''"))
| > | > | >>>>>> Pword = Trim(Replace(Request.Form("Password"), "'", "''"))
| > | > | >>>>>>
| > | > | >>>>>> SELECT * FROM LoginTable WHERE Login='" & User & "' AND
| > Password=
| > | > '"
| > | > | >>>>>> & Pword & "'"
| > | > | >>>>>>
| > | > | >>>>>> --
| > | > | >>>>>> ==============================================
| > | > | >>>>>> Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | >>>>>> ==============================================
| > | > | >>>>>> If you feel your current issue is a results of installing
| > | > | >>>>>> a Service Pack or security update, please contact
| > | > | >>>>>> Microsoft Product Support Services:
| > | > | >>>>>> http://support.microsoft.com
| > | > | >>>>>> If the problem can be shown to have been caused by a
| > | > | >>>>>> security update, then there is usually no charge for the
| > call.
| > | > | >>>>>> ==============================================
| > | > | >>>>>>
| > | > | >>>>>> | > | > | >>>>>>> Hi
| > | > | >>>>>>> This is still driving me mad
| > | > | >>>>>>> I have a form Which with username and password fields.the
| > form
| > | > | >>>>>>> submits to a login validation asp script
| > | > | >>>>>>> To stop SQL injection I need to Filter out server side
| > character
| > | > | >>>>>>> like single quote, double quote, slash, back slash, semi
| > colon,
| > | > | >>>>>>> extended character like NULL, carry return, new line, etc,
| > | > | >>>>>>> I know I need to add some validation asp script to the
| > | > validation
| > | > | >>>>>>> asp page but I have been looking on the web and I can't find
| > any
| > | > | >>>>>>> tutorials
| > | > | >>>>>>> Please help this one is driving me insane
| > | > | >>>>>>> Paul M
| > | > | >>>>>>>
| > | > | >>>>>>
| > | > | >>>>>>
| > | > | >>>>>
| > | > | >>>>>
| > | > | >>>>
| > | > | >>>>
| > | > | >>>
| > | > | >>>
| > | > | >>
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Validation of forms breaks Javascript 3
Help with validation 3
asp increment help 6
Classic ASP vs .Net - validation 1
Using VB script with ASP and HTML forms. 3
Date Validation 2
Change Front Page Forms from.htm to .asp 2
date validation 1

Top