Its me again on sql injection

[Paul M]

Hi is this method by microsoft protected against sql injection
http://support.microsoft.com/default.aspx?scid=kb;en-us;321439#XSLTH3124121123120121120120

Paul M

 

[Stefan B Rusynko]

It has the mimimim protection that should be used by at least using the Function ParseText(TXT) on the UID & PWD form field data
- if you are not using a SQL server (but just using an Access DB)
- if your UID & PWD assignments only allow alpha-numeric data and are unique
- although it does allow : (char 58), so it should probably be changed to
If (intText > 47 And intText < 58) Or _ insted of If (intText > 47 And intText < 59) Or _




| Hi is this method by microsoft protected against sql injection
| http://support.microsoft.com/default.aspx?scid=kb;en-us;321439#XSLTH3124121123120121120120
|
| Paul M
|
|

 

[Paul M]

Thanks Stefan
So will it stop sql injection like entering ' or 'a'='a into the
username and password fields
Paul M

 

[Stefan B Rusynko]

Paul
- if it only allows a-z, A-Z, and 0-9
- then it does not allow ' or =




| Thanks Stefan
| So will it stop sql injection like entering ' or 'a'='a into the
| username and password fields
| Paul M
| | > It has the mimimim protection that should be used by at least using the
| > Function ParseText(TXT) on the UID & PWD form field data
| > - if you are not using a SQL server (but just using an Access DB)
| > - if your UID & PWD assignments only allow alpha-numeric data and are
| > unique
| > - although it does allow : (char 58), so it should probably be changed to
| > If (intText > 47 And intText < 58) Or _ insted of If (intText > 47
| > And intText < 59) Or _
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi is this method by microsoft protected against sql injection
| > |
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;321439#XSLTH3124121123120121120120
| > |
| > | Paul M
| > |
| > |
| >
| >
|
|

 

[Paul M]

Thanks Stefan
I am using an access database so I will be safe?
Paul M

 

[Stefan B Rusynko]

Nothing is 100% safe (-;
- but it is the best sample login code (of all your other posted snippets) that you should be using w/ Access (which is what it was
written for, and which is what I said in my initial response to this posted thread)




| Thanks Stefan
| I am using an access database so I will be safe?
| Paul M
| | > Paul
| > - if it only allows a-z, A-Z, and 0-9
| > - then it does not allow ' or =
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | So will it stop sql injection like entering ' or 'a'='a into the
| > | username and password fields
| > | Paul M
| > | | > | > It has the mimimim protection that should be used by at least using
| > the
| > | > Function ParseText(TXT) on the UID & PWD form field data
| > | > - if you are not using a SQL server (but just using an Access DB)
| > | > - if your UID & PWD assignments only allow alpha-numeric data and are
| > | > unique
| > | > - although it does allow : (char 58), so it should probably be changed
| > to
| > | > If (intText > 47 And intText < 58) Or _ insted of If (intText >
| > 47
| > | > And intText < 59) Or _
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi is this method by microsoft protected against sql injection
| > | > |
| > | >
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;321439#XSLTH3124121123120121120120
| > | > |
| > | > | Paul M
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|

 

[Jens Peter Karlsen [FP-MVP]]

There is a modified version of the script here:
http://jetstat.com/asp/frontpage_logon/
It has some improvements such as "Remember Me" and the possibility to
login as an Administrator or ordinary user.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

 

[Stefan B Rusynko]

IMHO
That is a weak implementation
- since it drops the input checking function (Function ParseText(TXT))
- and uses cookies to store both the IUD & Password
(generated from global Request - which is definitely not the safest way)




| There is a modified version of the script here:
| http://jetstat.com/asp/frontpage_logon/
| It has some improvements such as "Remember Me" and the possibility to
| login as an Administrator or ordinary user.
|
| Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.
|
| On Sat, 10 Sep 2005 09:26:37 -0400, "Stefan B Rusynko"
|
| >Nothing is 100% safe (-;
| >- but it is the best sample login code (of all your other posted snippets) that you should be using w/ Access (which is what it
was
| >written for, and which is what I said in my initial response to this posted thread)
|

 

[Kevin Spencer]

Using Access, it is difficult to be safe. Using SQL Server, or another
database server that supports strongly-typed Stored Procedures, and granular
permissions, with good input validation on the client, and well-written
Stored Procedures, as well as well-designed permissions, is the only way to
be 100% safe.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

Thanks Stefan
I am using an access database so I will be safe?
Paul M

Paul
- if it only allows a-z, A-Z, and 0-9
- then it does not allow ' or =




| Thanks Stefan
| So will it stop sql injection like entering ' or 'a'='a into the
| username and password fields
| Paul M
| | > It has the mimimim protection that should be used by at least using
the
| > Function ParseText(TXT) on the UID & PWD form field data
| > - if you are not using a SQL server (but just using an Access DB)
| > - if your UID & PWD assignments only allow alpha-numeric data and are
| > unique
| > - although it does allow : (char 58), so it should probably be
changed to
| > If (intText > 47 And intText < 58) Or _ insted of If (intText >
47
| > And intText < 59) Or _
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi is this method by microsoft protected against sql injection
| > |
| >
http://support.microsoft.com/default.aspx?scid=kb;en-us;321439#XSLTH3124121123120121120120
| > |
| > | Paul M
| > |
| > |
| >
| >
|
|

 

[Paul M]

Thanks Stefan
Paul M

Nothing is 100% safe (-;
- but it is the best sample login code (of all your other posted snippets)
that you should be using w/ Access (which is what it was
written for, and which is what I said in my initial response to this
posted thread)




| Thanks Stefan
| I am using an access database so I will be safe?
| Paul M
| | > Paul
| > - if it only allows a-z, A-Z, and 0-9
| > - then it does not allow ' or =
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | So will it stop sql injection like entering ' or 'a'='a into the
| > | username and password fields
| > | Paul M
| > | | > | > It has the mimimim protection that should be used by at least
using
| > the
| > | > Function ParseText(TXT) on the UID & PWD form field data
| > | > - if you are not using a SQL server (but just using an Access DB)
| > | > - if your UID & PWD assignments only allow alpha-numeric data and
are
| > | > unique
| > | > - although it does allow : (char 58), so it should probably be
changed
| > to
| > | > If (intText > 47 And intText < 58) Or _ insted of If (intText| > 47
| > | > And intText < 59) Or _
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi is this method by microsoft protected against sql injection
| > | > |
| > | >
| >
http://support.microsoft.com/default.aspx?scid=kb;en-us;321439#XSLTH3124121123120121120120
| > | > |
| > | > | Paul M
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|