aspose file tools
The moose likes JDBC and Relational Databases and the fly likes Request Opinions on MySQL User Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Storm Applied this week in the Other Open Source APIs forum!
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "Request Opinions on MySQL User Authentication" Watch "Request Opinions on MySQL User Authentication" New topic
Author

Request Opinions on MySQL User Authentication

Jim NMI Robinson
Greenhorn

Joined: Feb 09, 2004
Posts: 2
Is there a safe way to authenticate a MySQL user through jsp?
If I construct a query like so:
String query = "SELECT user, password FROM user WHERE user=\"" + username + "\" AND password = PASSWORD(\"" + password + "\")";
then a potential evildoer can get in by filling in fields thus:
username = validUser" OR "1=1
password = any_password_here
so the String that goes to MySQL is:
"SELECT user, password FROM user WHERE user="validUser" OR "1=1" AND password = PASSWORD("any_old_password")";
This authenticates just fine with any old password, even a blank password.
So I constructed my query like so:
if(username != null && !username.equals("null") && !username.equals("")) {
if(password != null && !password.equals("null") && !password.equals("")) {
String query = "SELECT * FROM user WHERE (password=PASSWORD(\"" + password + "\")) AND (user=\"" + username + "\")";
}
}
The String sent to MySQL is now:
"SELECT * FROM user WHERE (password=PASSWORD("any_old_password")) AND (user="validUser" OR "1=1")"
This will not authenticate unless the password is valid (at least not that I've found yet!)
Can anybody see a problem with this? If so, is there a better way to authenticate a MySQL user?
Thanks all!
jim
Jason Steele
Ranch Hand

Joined: Apr 25, 2003
Posts: 100
If you wrapped the original statement in parens then you should be ok.
"SELECT user, password FROM user WHERE user="validUser" OR "1=1" AND password = PASSWORD("any_old_password")";

should be:
"SELECT user, password FROM user WHERE (user="validUser" OR "1=1") AND (password = PASSWORD("any_old_password"))";
Anyhow, Validating the user input is always welcomed before bothering the server with potentially malicious query attempts.


An egg is a chicken's house!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Request Opinions on MySQL User Authentication