Hi all ,

i have a question. i found out that when in jsp i type this password for login page :

'' or '1' =
(i din the write the full code to prevent misuse )

it can enter the website. How do i prevent it ?

thanks in advance

The 'or 1=1 -- is a common but simple hack that can override database queries into allowing false (because 1=1 always returns true) passwords and therefore allowing unauthorized access to secure information. To avoid such hacks I would employ a server-side authentication system; either:
1. Using Regex disallow certain characters (namely " ' = -) in the password field
2. Or converting password to a hash before querying the server
There are other methods of authentication, however the above should fit your needs.

-- pcthug

hi
thanks for the info. but how do i go abt it ? coz i using jsp so i nt very sure. btw my database is access. are there any examples

thanks

Use MD5 hash to encrypt password:// Plain-text password input
String passwordInput = "foobar";

MessageDigest mdAlgorithm = MessageDigest.getInstance("MD5");
mdAlgorithm.update(passwordInput.getBytes());

byte[] digest = mdAlgorithm.digest();
StringBuffer hexString = new StringBuffer();

for (int i = 0; i < digest.length; i++) {
passwordInput = Integer.toHexString(0xFF & digest[i]);

if (passwordInput.length() < 2) {
passwordInput = "0" + passwordInput;
}

hexString.append(passwordInput);
}

// We now have a unique MD5 Hash of original input
out.print(hexString.toString());
It's now safe to query the database with our amended string

also I found these discussions @ sun
http://forum.java.sun.com/thread.jspa?threadID=543844&tstart=240
http://forum.java.sun.com/thread.jspa?threadID=635524&messageID=3699640

The alternative suggested message, Regular Expressions, could be used to not except any non-numerical/alphabetical characters - thus eliminating any chance of a hack as the necessary symbols to conduct the hack would not be accepted. I suggest reading this article (http://www.sitepoint.com/article/java-regex-api-explained) for further insight.

thanks a milliom :)

hi i am still unable to solve it

<%@page contentType="text/html"%>
<%@page import="java.sql.*"%>
<%@page import="java.security.MessageDigest"%>
<html>
<head>
<title>Check Login</title>
</head>
<body>

<%
String varName=request.getParameter("userName");
String varPass=request.getParameter("userPass");

String DRIVER = "sun.jdbc.odbc.JdbcOdbcDriver";
Connection con = null;
String nextPage = null;
try {
// set up the DSNless connection to the EJewel.mdb database
String source = "jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)}; DBQ=C:\\Program Files\\Apache Software Foundation\\Tomcat 5.5\\webapps\\ROOT\\EJewel848\\EJewel.mdb";
// Open a Database connection with the Driver
Class.forName(DRIVER);
con = DriverManager.getConnection(source);

// Create sql string to check whether userName is found in database
String sql = "Select * from Customers where userName='" + varName + "' and userPass='" + varPass + "'";

// Create statement to connect to Connection
Statement stmt=con.createStatement();

// Execute result set on sql string
ResultSet rs=stmt.executeQuery(sql);


String userPass = "foobar";

MessageDigest mdAlgorithm = MessageDigest.getInstance("MD5");
mdAlgorithm.update(userPass.getBytes());

byte[] digest = mdAlgorithm.digest();
StringBuffer hexString = new StringBuffer();

for (int i = 0; i < digest.length; i++) {
userPass = Integer.toHexString(0xFF & digest[i]);

if (userPass.length() < 2) {
userPass = "0" + userPass;
}

hexString.append(userPass);
}

// We now have a unique MD5 Hash of original input
out.print(hexString.toString());


if (rs.next())
{
out.print("Exist");
session.setAttribute("loginStatus", "login");
session.setAttribute("userName", varName);
session.setAttribute("userPass", varPass);
nextPage="ShowMain.jsp";
}
else
{
//out.print("Does not exist");
nextPage="Showlogin.htm";
}
// close the resultset and statement
rs.close();
rs = null;

stmt.close();
stmt = null;

} // end try
// catch for 3 exceptions
catch (ClassNotFoundException cnfe) {
out.println ("Could not create driver " + cnfe.getMessage ()) ;
}
catch (SQLException sqle) {
out.println ("Could not connect to database " + sqle.getMessage ()) ;
}
catch (Exception excpt) {
out.println ("Could not connect to database, general error " + excpt.getMessage ()) ;
} // end all catch
// finally to close connection
finally {
if (con != null) {
con.close();
}
} // end finally
%>
<jsp:forward page="<%=nextPage%>"/>
</body>
</html>



can help me thanks being racking for quite some time

Try this:<%@page contentType="text/html"%>
<%@page import="java.sql.*"%>
<%@page import="java.security.MessageDigest"%>
<html>
<head>
<title>Check Login</title>
</head>
<body>

<%
String varName=request.getParameter("userName");
String varPass=request.getParameter("userPass");

// Convert varPass request string to flat userPass string
String userPass = varPass;

MessageDigest mdAlgorithm = MessageDigest.getInstance("MD5");
mdAlgorithm.update(userPass.getBytes());

byte[] digest = mdAlgorithm.digest();
StringBuffer hexString = new StringBuffer();

for (int i = 0; i < digest.length; i++) {
userPass = Integer.toHexString(0xFF & digest[i]);

if (userPass.length() < 2) {
userPass = "0" + userPass;
}

hexString.append(userPass);
}

// We now have a unique MD5 Hash string of original input
String md5Pass=hexString.toString(userPass);

String DRIVER = "sun.jdbc.odbc.JdbcOdbcDriver";
Connection con = null;
String nextPage = null;
try {
// set up the DSNless connection to the EJewel.mdb database
String source = "jdbcdbcriver={Microsoft Access Driver (*.mdb)}; DBQ=C:\\Program Files\\Apache Software Foundation\\Tomcat 5.5\\webapps\\ROOT\\EJewel848\\EJewel.mdb";
// Open a Database connection with the Driver
Class.forName(DRIVER);
con = DriverManager.getConnection(source);

// Create sql string to check whether userName is found in database
String sql = "Select * from Customers where userName='" + varName + "' and userPass='" + md5Pass + "'";

// Create statement to connect to Connection
Statement stmt=con.createStatement();

// Execute result set on sql string
ResultSet rs=stmt.executeQuery(sql);




if (rs.next())
{
out.print("Exist");
session.setAttribute("loginStatus", "login");
session.setAttribute("userName", varName);
session.setAttribute("userPass", md5pass);
nextPage="ShowMain.jsp";
}
else
{
//out.print("Does not exist");
nextPage="Showlogin.htm";
}
// close the resultset and statement
rs.close();
rs = null;

stmt.close();
stmt = null;

} // end try
// catch for 3 exceptions
catch (ClassNotFoundException cnfe) {
out.println ("Could not create driver " + cnfe.getMessage ()) ;
}
catch (SQLException sqle) {
out.println ("Could not connect to database " + sqle.getMessage ()) ;
}
catch (Exception excpt) {
out.println ("Could not connect to database, general error " + excpt.getMessage ()) ;
} // end all catch
// finally to close connection
finally {
if (con != null) {
con.close();
}
} // end finally
%>
<jsp:forward page="<%=nextPage%>"/>
</body>
</html>

It changes the raw input string to a md5 hash before querying the db. If the script is not setup this way, the raw input can still be used to query the db.

thanks but then there are some errors

org.apache.jasper.JasperException: Unable to compile class for JSP

An error occurred at line: 10 in the jsp file: /assessment/Checklogin.jsp
Generated servlet error:
The method toString() in the type StringBuffer is not applicable for the arguments (String)

An error occurred at line: 10 in the jsp file: /assessment/Checklogin.jsp
Generated servlet error:
md5pass cannot be resolved

I suggest you try asking in the Java (http://www.webdeveloper.com/forum/forumdisplay.php?f=31) forum as my knowledge in Java is currently limited.

thanks a lot ! :) ur help is appreciated.