Is there a safe way to authenticate a MySQL user through jsp? If I construct a query like so: String query = "SELECT user, password FROM user WHERE user=\"" + username + "\" AND password = PASSWORD(\"" + password + "\")"; then a potential evildoer can get in by filling in fields thus: username = validUser" OR "1=1 password = any_password_here so the String that goes to MySQL is: "SELECT user, password FROM user WHERE user="validUser" OR "1=1" AND password = PASSWORD("any_old_password")"; This authenticates just fine with any old password, even a blank password. So I constructed my query like so: if(username != null && !username.equals("null") && !username.equals("")) { if(password != null && !password.equals("null") && !password.equals("")) { String query = "SELECT * FROM user WHERE (password=PASSWORD(\"" + password + "\")) AND (user=\"" + username + "\")"; } } The String sent to MySQL is now: "SELECT * FROM user WHERE (password=PASSWORD("any_old_password")) AND (user="validUser" OR "1=1")" This will not authenticate unless the password is valid (at least not that I've found yet!) Can anybody see a problem with this? If so, is there a better way to authenticate a MySQL user? Thanks all! jim
Jason Steele
Ranch Hand
Joined: Apr 25, 2003
Posts: 100
posted
0
If you wrapped the original statement in parens then you should be ok.
"SELECT user, password FROM user WHERE user="validUser" OR "1=1" AND password = PASSWORD("any_old_password")";
should be: "SELECT user, password FROM user WHERE (user="validUser" OR "1=1") AND (password = PASSWORD("any_old_password"))"; Anyhow, Validating the user input is always welcomed before bothering the server with potentially malicious query attempts.
0
