dcsimg
Login | Register   
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


advertisement
 

Five Tips for Thwarting Data Input Attacks Against Your Web App  : Page 5

The Web is a battleground where data input attacks are a real danger. Michael Howard illustrates how attackers can gain access to your Web apps and how best to stop them.


advertisement

WEBINAR:

On-Demand

Application Security Testing: An Integral Part of DevOps


Tip 4—Check the Values Returned from the SQL Query
One way to mitigate these attacks completely is to stop using count(*) as the "thumbs up, thumbs down." Instead, check the username and password against the username and password returned by the SQL query. The syntax looks like this:

var strSQL = "SELECT name, pwd FROM client WHERE " + "(name='" + strName + "') " + " and " + "(pwd='" + strPwd + "')"; var oRS = new ActiveXObject("ADODB.RecordSet"); oRS.Open(strSQL,oConn); fAllowLogon = (oRS(0).Value == strName && oRS(1).Value == strPwd)
? true : false;

If the SQL query returns no data, an exception is generated and then caught by the catch() body.


Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date