|
Functionally it looks OK, but you have a number of potential security problems.
Firstly, you're storing your passwords in plain text in the database, which allows an attacker who can inspect your database to impersonate any user. It's typically better to use some form of hashing in order to prevent a direct attack. Look at the CAPICOM API for use of cryptographic hashing functions.
Your maximum limit on passwords seems quite short, and your minimum limit is very short. There are ways of computing the effective bit length of a password, which suggest that a 20 character password can only be considered equivalent to a 128-bit symmetric encryption key if the password includes both upper and lower case letters, digits and punctuation marks.
Your use of string concatenation to build a SQL string is very weak and could subject you to SQL injection attacks. For example, if an attacker typed
' DROP tblUser -- your strSQL would end up as
SELECT User_Username, User_Password FROM tblUser WHERE
User_Username = '' DROP tblUser --'; The comment operator -- prevents the trailing quote mark from causing a syntax error. This would then cause a denial of service to all valid users. You should not trust user data in this way - any user data. It is generally better to use regular expressions to define the set of characters allowed in inputs.
You can mitigate the problem by using an ADO Command object with a collection of parameters, which will cause ADO and the database engine to perform any quoting necessary.
Finally, and I'll admit this one is a bit contentious, you may be giving too much information away in case of failure - you inform the user whether the username or the password was incorrect. This allows an attacker to narrow the problem set - first he has to find the username, then the password. If you don't indicate which is incorrect, the attacker has to generate all possible passwords for all possible usernames, or use some kind of social engineering to discover one or both.
If you decide to do this, you might decide to get the database to perform all the comparisons:
SELECT User_Username FROM tblUser WHERE User_Username = ? AND User_Password = ? where the ? represent parameters.
|
|
|
|
|
Can you maybe tell me where to get alternative information on this? I have searched the web but was unable to find info.
You stated the following... "It is generally better to use regular expressions to define the set of characters allowed in inputs", how can I improve my code to do this?
|
|
|
|
|
A good source of security information is the book I've just been reading (can you tell? ), Writing Secure Code[^] by Michael Howard and David LeBlanc (MS Press). Michael Howard also writes the MSDN Code Secure[^] column, which you can also find via the MSDN Security Developer Centre[^].
To use regular expressions in an ASP page, use the RegExp[^] object.
|
|
|
|
|
Hi
I am trying to develop a toolbar (for IE)to bring up the annotations on the page on the browser . When a section of the text is highlited on the browser then i need to return the parent ID of he item selected .By ID i mean that assuming that each of the html atags in the page are given an ID tag such that we have a tree structure .
for eg
thus
the question is having sucha page i need to write a function to return the id of the parent node(since we have a tree structure ) of the portion of the text selected . I guess this can be one using javasscripts . I have tried to implement in a crude form . Can any one guide me to do it . Is there any other way to do it . (USing C#) etc .The toolbar is implemented in C# .
Srikar Y
NITK Surathkal
|
|
|
|
|
When I view a directory through my browser, I get the following fields:
Name, Last Modified, Size, Description
How can I access the Description field to update it on uploads?
"The beat goes on.. da-da-dum dadum dum" BW
|
|
|
|
|
If the web server is Apache, then the description is determined by the AddDescription directive, which you can place in the .htaccess for that directory. Example:
AddDescription "Something different" foo.gif<br />
AddDescription "Something interesting" bar.gif
Documentation:
http://httpd.apache.org/docs/mod/mod_autoindex.html#adddescription[^]
- Mike
|
|
|
|
|
Has anyone installed VS6 after they installed VS .Net and if so are there any issues that need to be addressed. I have VS.Net installed on Windows XP Pro but still need to take care of older ASP and VB applications.
|
|
|
|
|
I actually had to install VS6 a few weeks ago, after using VS.NET and VS.NET 2k3 for a while. No problems so far... all three versions are happily coexisting, it seems.
- Mike
|
|
|
|
|
I am running PHP script.
I am displaying contents using HTML.
I have date field. After user enters date , report is displayed.
I call the same script for submit action.
When report is displayed , value from date field is lost.
I want to retain this value next time when report is displayed . How to retain the previous field value, when
page is refreshed?
|
|
|
|
|
Well, first you switch to ASP.NET...
--
-Blake (com/bcdev/blake)
|
|
|
|
|
Is it not possible to remember values of any fields like edit control from previous page , on the next page using php and html?
|
|
|
|
|
Remember this is a stateless environment. You need to provide the mechanism by query strings, hidden fields, or other methods. ASP.NET uses viewstate which is in essence a hidden field.
|
|
|
|
|
I am running PHP script.
I am displaying contents using HTML.
I want to display file path. Problem is it does not display '\' in path .
e.g c:\temp1\test.c
It displays it as c:temp1temp.c
I am reading the path from MYSQL database.
how can I disply '\' in the file path.
|
|
|
|
|
Do you need to escape the backslash with another backslash?
c:\\temp1\\test.c ?
|
|
|
|
|
I did not get your question.
'/' in text is not getting displayed
e.g. text to be displayed.
c:\temp\tree\install
It gets displayed as follows
c:temptreeinstall
|
|
|
|
|
What does your code for displaying the data look like? Please try to narrow your problem down to a small piece of code to make it easier for us to find your problem.
- Mike
|
|
|
|
|
Hi, im running IIS and someimtes apache on my home machine and would like to know how to convert the localhost word in the url to something that someone from another computer can access.
if the url I use to access the page is
localhost:8080/Home.html
and my IP adress is 152.103.2.19
then i test the url as
http://152.103.2.19:8080/Home.html but it says page not found... am I doing something wrong?
|
|
|
|
|
If you have iis and apache on same machine then first of all stop apache service then start IIS server(start-setting-control panel-administrative tools-internet services manager) click on default web site. start service.
Now browse to url(eg:- "http://160.2.80.6/test.htm")
Since you have html page you need to check its extension as it may be .htm or .html
You can also use computer name rather than using IP address.
Cheers
Amit Chowdhury
|
|
|
|
|
You might have the web server listening specifically on 127.0.0.1 or a name-based host "localhost", or a firewall might be blocking port 8080.
Are you actually connecting, but getting a 404, or is the browser unable to connect at all?
- Mike
|
|
|
|
|
For your information: if we use IE as web browser and if there is a port number specified after the server name or server IP, the URL must have the http:// prefix, if not IE cannot search the page.
|
|
|
|
|
Hello my friends,
After a discussion at this thread http://www.codeproject.com/script/comments/forums.asp?forumid=1640&app=50&fr=51#xx623641xx[^] that I had with a fellow CPian I started thinking that using DIVs and CSS for making the layout of web pages might be an intersting approach.
I would like to see how different people use the DIV and SPAN tags. I have read the MSDN documentation but I would like to see how these tags are used in terms of building layouts. For example, when do you use a DIV and when do you use a SPAN tag and why?
Do you see any advantages or disadvantages for these tags in terms of comparing them?
Thank you.
theJazzyBrain
Wise is he who asks good questions, not he who gives good answers
|
|
|
|
|
By default, div is for "blocks" of elements, which is useful for layout purposes, and span is for chunks of inline elements, such as a sentence or a word. Of course, CSS allows you to override the defaults and make a span work like a div and vice-versa
- Mike
|
|
|
|
|
Yeah, functionally, a span is exactly the same as a div, except that a span has the its css display attribute set to 'inline' by default, and a div has its display attribute set to 'block' by default. That's pretty much it.
NATHAN RIDLEY
Web Application Developer
generalgherkin@yahoo.com
|
|
|
|
|
How to replicate web content for multiple domain name.
(www.ukphoneshop.co.uk and www.allmobiles4u.co.uk)
Amit Chowdhury
|
|
|
|
|
Simple....
Just get as many 'domain names' as u want. Point them to a same webspace (with those dns options). And then process the requests (inside the webpage) with respect to the 'site-referer' to show that there are 'different' websites.
Does this satisfy ur request?
I was born intelligent Education ruined me!.
|
|
|
|