Get your CodeRanch badge!*
The moose likes JDBC and the fly likes Request Opinions on MySQL User Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Request Opinions on MySQL User Authentication" Watch "Request Opinions on MySQL User Authentication" New topic
Author

Request Opinions on MySQL User Authentication

Jim NMI Robinson
Greenhorn

Joined: Feb 09, 2004
Posts: 2
Is there a safe way to authenticate a MySQL user through jsp?
If I construct a query like so:
String query = "SELECT user, password FROM user WHERE user=\"" + username + "\" AND password = PASSWORD(\"" + password + "\")";
then a potential evildoer can get in by filling in fields thus:
username = validUser" OR "1=1
password = any_password_here
so the String that goes to MySQL is:
"SELECT user, password FROM user WHERE user="validUser" OR "1=1" AND password = PASSWORD("any_old_password")";
This authenticates just fine with any old password, even a blank password.
So I constructed my query like so:
if(username != null && !username.equals("null") && !username.equals("")) {
if(password != null && !password.equals("null") && !password.equals("")) {
String query = "SELECT * FROM user WHERE (password=PASSWORD(\"" + password + "\")) AND (user=\"" + username + "\")";
}
}
The String sent to MySQL is now:
"SELECT * FROM user WHERE (password=PASSWORD("any_old_password")) AND (user="validUser" OR "1=1")"
This will not authenticate unless the password is valid (at least not that I've found yet!)
Can anybody see a problem with this? If so, is there a better way to authenticate a MySQL user?
Thanks all!
jim
Jason Steele
Ranch Hand

Joined: Apr 25, 2003
Posts: 100
If you wrapped the original statement in parens then you should be ok.
"SELECT user, password FROM user WHERE user="validUser" OR "1=1" AND password = PASSWORD("any_old_password")";

should be:
"SELECT user, password FROM user WHERE (user="validUser" OR "1=1") AND (password = PASSWORD("any_old_password"))";
Anyhow, Validating the user input is always welcomed before bothering the server with potentially malicious query attempts.


An egg is a chicken's house!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Request Opinions on MySQL User Authentication
 
Similar Threads
User Authentication Mechanism
user authentication servlet problem
unable to forward using jsp:forward
oracle.jdbc.driver.OracleDriver cannot be resolved to a type
Help with this code!