secure log in

[lizzi]

Hi
Is this a secure way to check a user log in?

SQL = "SELECT * FROM [users] WHERE [user] = '" & trimVars("user") & "' AND [view] = TRUE;"
set mySQL = Conn.Execute(SQL)
on error resume next

IF mySQL("password") = trimVars("password") THEN
session("ID") = mySQL("ID")
session("userID") = mySQL("ID")
session("name") = mySQL("firstname") & " " & mySQL("lastname")
session("email") = mySQL("email")

...

END IF

Thanks
Lizzi

 

[Genimuse]

You don't show what the trimVars() function does, so it's hard to say. You're potentially still vulnerable to SQL injection if trimVars doesn't do some form of replacing single quotes with two single quotes, though the database would simply return all of the users in the table and your comparison would be with which ever one the database returned first, so they'd need to have guessed that password.

You're potentially open to some ASP injection in the password comparison, but I don't know much about ASP injection so I can't say.

What does trimVars() do?

 

[ukwebsite]

As long as your getting rid of the aprostrophie (i.e. ' ) then it should be okay.

It looks secure to me, this is the kinf of code I would use but i would be intrested to see if anyone says anything else.

Matthew Wilde
matthew@ukwebsite.com

 

[gladxml]

try to check out th elink might help.

http://www.4guysfromrolla.com/webtech/061902-1.shtml