Hello there,
I have created a login page for users. The login page contain <FORM action="verifyuser.asp" method="post">. The verifyuser page verify that the user exist in the database. All the pages, home, login, memberspage, updatemember, seems to be working properly except for the verifyuser page. This is the code for the page:
<%
Dim objConn, oRSu
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open "Provider=SQLOLEDB.1;Persist Security Info=False;"& _
"User ID=sa;Password=test12345; Initial Catalog=members;Data Source= Kai-PC;"dim varUsername, varPassword
varUsername = Request.Form("Username")
varPassword = Request.Form("Password")set oRSU=server.CreateObject("adodb.recordset")
SQL = "Select * from Users where Username = '" & varUsername & "' AND
Password = '"& varPassword &"'"
oRSu.open SQL, objConn
If oRSu.EOF Then
response.redirect "Login.asp"
end if
Session("Username") = oRSu("Username")
Session("password") = oRSu("password")Response.redirect "memberspage.asp"
oRSu.Close
set oRSu=nothing
%>Whenever I try to login a HTTP 500 Internal Server Error appears... I have no idea whether that caused by the codes or because I'm using Vista? Thanks
If I recall, HTTP 500 is a login/security error.
On another VERY important point.
Assuming the above error is corrected, What do you think would be the result if the user were to type the following in the UserName textbox on the Login.asp page? (Type the characters between the square brackets.)
['' or 1=1--]
Eleven characters. This is a widely known and significant security breach that many web developers make -you are not alone...
An even worst mistake is that you are using the 'sa' account - for after the 'hacker' uses the above exploit, he/she is in your database operating under the 'sa' account. At that moment, the hacker 'owns' your database, and your entire server and all other databases on the server. And depending upon your network security, he/she may be able to access other servers and resources on your network.
Yes, you have another redirect, but that is a minor inconvenience to a hacker...
Is the first row in the users table the administrator? Quite often the case...
Suddenly not feeling too comfortable, wondering if your rsum needs updating, thinking that now might be a good time to start that other business you've been dreaming about?
Perhaps reading these articles will help ease the rush of anxiety...
Security –Best Practices
http://vyaskn.tripod.com/sql_server_security_best_practices.htm
Security –Protecting against Hacking and Password Cracking
http://www.airscanner.com/pubs/sql.pdf#search=%22sql%20server%20password%20crack%20sqlping%22
Overview of the SQL Server Security Model and Security Best Practices
http://www.sql-server-performance.com/vk_sql_security.asp
You might wish to check out www.SQLSecurity.com
No comments:
Post a Comment