Recent 2-3 weeks I 've been involved in developing a small data entry application together with our group members as one of our internal projects. We had this urge to do it by our selves rather than to get it done by some dev guys, mainly because to get a respite from the monotonous life style of being a tester. Luckily I had the chance to learn some stuff of coding thanks to Google,of course the resource donors.
Application was decided to be done in classic ASP( which was the only language that I knew to be frank ;) I used to do some coding with ASP when I was a student). So started with ASP/VB Script/ADO at the middle and HTML/JavaScript at the front and with MS Access at the back end.
here is a sample code to counter it. Its simple. first line of defense. Just sanitize the input. Check for dangerous characters and replace them with harmless. .I f you have a query string like:
"select username,password from table_login where username='"&userval&"' AND password='"&passval&"'",
then this can be easily be manipulated and gain access to internal resources by using a string like " ' or 1= 1 " (there are variations of this type) as your inputs.
use the following piece of code.
username=Replace(Request.Form("username"), "'", "''")
The potentially dangerous character " ' " is replaced here. Use of stored procedures is not allowed with Access. Its a better method of countering the hazard
Another issue with log in
What if the user types the URL of an internal resource other than the login page in the address bar and gain access, bypassing the login? How do you redirect the user back to the login page if user is not authenticated?
Use a session variable (session("Authenticated") as a flag.
If user is validated, set to session("Authenticated") =1 else to 0.And use this code in pages where necessary.
Declare session("Authenticated") =0 variable in global.asa file under sub Session_OnStart event.
global.asa--
sub Session_OnStart
Session("Authenticated") = 0
end sub
Writing error message to the request page after an unsuccessful login attempt
Say you have login.asp page where you accept the user inputs and pass it to validate.asp page to validate. There it finds the credentials given are incorrect and user is redirected to login.asp again with a error message.
if login unsuccessful then
response.redirect(login.asp)- this works
response.write("wrong username/password")- this won't work
end if
so how to write this error message in the login.asp?
response.Redirect("login.asp?status=unsuccess"). pass a parameter 'status' together with the redirection. and capture it at the login.asp page like this:
if request.querystring("status")="unsuccess" then
response.write ("Wrong username or password")
end if
Some client side java script validations used
1. checking the inputs are not blank
var input1= form1.input1.value;
var input2= form1.input2.value;
if ( input1.length == 0 || input2.length == 0)
{
alert ("Fields cannot be empty")
}
2. Number validation
verify that the input only accepts numbers
var val=document.form1.id.value==parseInt(document.form1.id.value);
if (!val)
{
alert("Numbers only")
}
Application was decided to be done in classic ASP( which was the only language that I knew to be frank ;) I used to do some coding with ASP when I was a student). So started with ASP/VB Script/ADO at the middle and HTML/JavaScript at the front and with MS Access at the back end.
here is a sample code to counter it. Its simple. first line of defense. Just sanitize the input. Check for dangerous characters and replace them with harmless. .I f you have a query string like:
"select username,password from table_login where username='"&userval&"' AND password='"&passval&"'",
then this can be easily be manipulated and gain access to internal resources by using a string like " ' or 1= 1 " (there are variations of this type) as your inputs.
use the following piece of code.
username=Replace(Request.Form("username"), "'", "''")
The potentially dangerous character " ' " is replaced here. Use of stored procedures is not allowed with Access. Its a better method of countering the hazard
Another issue with log in
What if the user types the URL of an internal resource other than the login page in the address bar and gain access, bypassing the login? How do you redirect the user back to the login page if user is not authenticated?
Use a session variable (session("Authenticated") as a flag.
If user is validated, set to session("Authenticated") =1 else to 0.And use this code in pages where necessary.
Declare session("Authenticated") =0 variable in global.asa file under sub Session_OnStart event.
global.asa--
sub Session_OnStart
Session("Authenticated") = 0
end sub
Writing error message to the request page after an unsuccessful login attempt
Say you have login.asp page where you accept the user inputs and pass it to validate.asp page to validate. There it finds the credentials given are incorrect and user is redirected to login.asp again with a error message.
if login unsuccessful then
response.redirect(login.asp)- this works
response.write("wrong username/password")- this won't work
end if
so how to write this error message in the login.asp?
response.Redirect("login.asp?status=unsuccess"). pass a parameter 'status' together with the redirection. and capture it at the login.asp page like this:
if request.querystring("status")="unsuccess" then
response.write ("Wrong username or password")
end if
Some client side java script validations used
1. checking the inputs are not blank
var input1= form1.input1.value;
var input2= form1.input2.value;
if ( input1.length == 0 || input2.length == 0)
{
alert ("Fields cannot be empty")
}
2. Number validation
verify that the input only accepts numbers
var val=document.form1.id.value==parseInt(document.form1.id.value);
if (!val)
{
alert("Numbers only")
}
No comments:
Post a Comment