Jump to content
  • Advertisement
Sign in to follow this  
xantos

[web] SQL injection

This topic is 4230 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

im looking for people to test the login page on this site for sql injection: clicky here is a page that shows the records on the database: clicky and yes this is my page.. check the upper right corner for proof i appreciate any help

Share this post


Link to post
Share on other sites
Advertisement
Right off the bat, your script for checking passwords doesn't look at case sensativity. It also appears you arn't encrypting passwords at registration.

EDIT: Both of the above are a serious problem. I will do further testing later tonight.

[Edited by - Cygnus_X on November 17, 2006 12:41:00 PM]

Share this post


Link to post
Share on other sites
The script converts all the letters into lowercase to check for illegal characters .
For the encryption i will work on it later.
my concern now is sql injection vulnerabilities.


Thanks for your help , waiting for more replies

Share this post


Link to post
Share on other sites
Use ereg() for checking against characters you want to be illegal. The way you have it now, your password is bypass, but the following would also work with your script:

byPass
byPASS
ByPasS

etc.

Thus, instead of having 1 valid password for your admin accout, you'd have 2^6 (64) valid passwords. I know it doesn't have anything to do with SQL injection, I just thought I'd point it out as a security issue.

EDIT: ereg() is a function in php. But, there should be a similar function in other languages.

[Edited by - Cygnus_X on November 17, 2006 3:28:05 PM]

Share this post


Link to post
Share on other sites
ok i will explain it more, lets say i login with username Admin, the code takes the username and changes it to lower case "admin" and checks if it has any illegal characters. if it doesnt have any illegal chars, it checks the database but using "Admin" that i entered.

Here is the code of the login screen


<%
Dim inUserName, inPassword
inUserName = Trim(Request("username"))
inPassword = Trim(Request("pass"))


Dim sUsername, sPassword

sUsername=LCase(Request.Form("username"))

Function IllegalChars(sInput)
Dim sBadChars, iCounter
IllegalChars=False
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|")

For iCounter = 0 to uBound(sBadChars)

If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function

If IllegalChars(sUsername)=True Then
Response.write("Invalid username or password")
Else


'i didnt put all the database related code only the line that i used to select the record of the username inputed
"SELECT * FROM Table WHERE userName = '"&inUserName&"'"



If myRS.EOF Then
response.write("This Account doesn't exist, click <a href=""http://www.ganarplatita.com.ar/emanuel/mail.asp"">here</a> to create one")
Else
'here i compared the password inputed in the login screen with the password saved in the database(of the record that was selected according to the username inputed)
if (StrComp(myRS("password"), inPassword, vbTextCompare) =0) Then
session("user")= inUserName
response.redirect("game.asp")
Else
session("user") = ""
response.write("incorrect password")
End If
End If
End If



Share this post


Link to post
Share on other sites
Ugly. The simple and painless way would be to quote your string so it cannot be interpreted as SQL code at all, a functionality which most SQL interfaces provide.

However, since you're using ASP, you might want to take a look at the safer, faster and cleaner Parametrized Queries.

Share this post


Link to post
Share on other sites
Thanks toohrvyk, but did the code i provide have any vulnerabilities?
i also want to put that same system of checking for illegal chars/strings to the create account page. so that no one can create an account like: admin or admin2

Share this post


Link to post
Share on other sites
in sBadChars=array, you may want to include the "update" statement as an exception. Just something to consider.

Other than that, your code looks good to me. Though... I'm not very strong in .asp.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!