Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Five Tips for Thwarting Data Input Attacks Against Your Web App  : Page 5

The Web is a battleground where data input attacks are a real danger. Michael Howard illustrates how attackers can gain access to your Web apps and how best to stop them.


advertisement

WEBINAR:

On-Demand

Application Security Testing: An Integral Part of DevOps


Tip 4—Check the Values Returned from the SQL Query
One way to mitigate these attacks completely is to stop using count(*) as the "thumbs up, thumbs down." Instead, check the username and password against the username and password returned by the SQL query. The syntax looks like this:

var strSQL = "SELECT name, pwd FROM client WHERE " + "(name='" + strName + "') " + " and " + "(pwd='" + strPwd + "')"; var oRS = new ActiveXObject("ADODB.RecordSet"); oRS.Open(strSQL,oConn); fAllowLogon = (oRS(0).Value == strName && oRS(1).Value == strPwd)
? true : false;

If the SQL query returns no data, an exception is generated and then caught by the catch() body.


Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date