I have a form written in classic ASP with some light client-side validation. Everything works well except for one thing - the form fails when there's an apostrophe. One of the fields may have apostrophes often (last name field - form would fail if user's last name was O'Brien, for example).
How do I fix this?
You'll have to examine your ASP code. If you see any code that looks like
string SQL =
"SELECT user_id, first_name,last_name FROM users WHERE username = "
+ myUserName;
where myUserName comes from the user, then you are definitely vulnerable.
The fix is NOT to try to escape the input (i.e., replace all "'" with "''") but to use a completely different method as outlined in this article on SQL Injection and how to avoid it
In a nutshell, try something like the following from the bobby-tables site
String username = "joe.bloggs";
SqlCommand sqlQuery = new SqlCommand(
"SELECT user_id, first_name,last_name FROM users WHERE username = ?username",
sqlConnection);
sqlQuery.Parameters.AddWithValue("?username", username);
Related
Is there a way to successfully bind while leaving out one of the files in the bind search base string? I don't always know what $site is for a user and if I leave it out the binding fails. Can I have something like OU=*,
$ldapSearchBase = "OU=$site,OU=xxxx,OU=xxxx,DC=$globalLocation,DC=companyName,DC=com";
If I leave the site out I get. it works if I put in my correct site
The wrong password was supplied or the SASL credentials could not be processed
LDAP binds require you to have a single unique distinguished name plus the appropriate credentials (user/pass, SSL, etc.). Your bind will always fail if your DN is not unique.
You might want to try splitting your base DN and varying whatever $site is:
my $ldapSearchBase = "OU=user,OU=accounts,DC=$globalLocation,DC=companyName,DC=com";
my $ldapSite = "OU=$site";
my $bindString = $ldapSearch . "," . $ldapSearchBase;
Use the first container as search base:
$ldapSearchBase = "DC=$globalLocation,DC=companyName,DC=com";
I am using ruby's Net::IMAP object and I can retrieve a set of emails using either:
IMAP.all ..args..
Or
IMAP.find ..args..
But is there anyway of retrieving a specific email, preferably by the message-id header for example?
Is this possible or am I limited to all and find and trying to narrow the result set with better arguments?
I didn't understand what technology you're using with IMAP. However the IMAP Specification provides the ability to search by a variety of fields, including email headers. You can use the following IMAP command to retrieve the UID of an email with Message-Id <53513DD7.8090606#imap.local>:
0005 UID SEARCH HEADER Message-ID <53513DD7.8090606#imap.local>
This will then give you a response such as the following:
* SEARCH 1
0005 OK UID completed
In my case the email with Message-Id <53513DD7.8090606#imap.local> was the first one, so the SEARCH command returned a matching UID of 1.
You can then retrieve the message using a UID FETCH command, such as the following:
0006 UID FETCH 1 BODY[]
Naturally, if you know the UID in advance, you can skip the UID SEARCH step, but that depends on your application.
For anybody else who is looking at this, these keys will do the trick:
keys: ['HEADER', 'MESSAGE-ID', message_id]
Just to give a full ruby solution incase it's helpful to someone else.
Bear in mind that if the message is in a subfolder you'll need to manually search through each folder to find the message you are after.
search_message_id = "<message-id-you-want-to-search-for>"
email = "youremail-or-imap-login"
password = "yourpassword"
imap = Net::IMAP.new("imap.example.com", 993, ssl: true)
imap.login(email, password)
imap.select("Inbox")
imap.search(["HEADER", "Message-ID", search_message_id]).each do |message_id|
envelope = imap.fetch(message_id, "ENVELOPE")[0].attr["ENVELOPE"]
puts "Id:\t#{envelope.message_id}"
puts "From:\t#{envelope.from[0].mailbox}##{envelope.from[0].host}"
puts "To:\t#{envelope.to[0].mailbox}##{envelope.to[0].host}"
puts "Subject:\t#{envelope.subject}"
end
imap.logout
imap.disconnect
You can change the above to search all sub-folders by doing:
folders = imap.list("", "*")
folders.each do |folder|
imap.select(folder.name)
imap.search # ...
end
I'm coding a web app using Laravel 4.1 and Postgresql as database.
The db is case sensitive, but i'd like to make it case insensitive because, i.e., when a user is logging he should be able to access using upper case or lower case email address (like in every other website). However the column for the hash of the password must be case sensitive because the encryption method i use generates case sensitive strings.
I'm using Eloquen ORM of Laravel so i don't write queries directly.
How can i solve this problem?
Thanks in advance!
A bit late, but this is pretty simple. Just use the "ILIKE" operator, e.g.
User::where("email", "ILIKE", $email)->get();
I had this exact problem- my solution was to pretend to be case-insensitive:
1) add one line in the relevant methods to make the entered email value lowercase
2) did a replacement in the database so that emails were lowercase
3) made sure that new emails come in as lowercase
Details:
1) The relevant methods* are core laravel code, so you override them with a new version that replaces the email value after validating the request:
$request['email'] = Str::lower($request['email']);
log in flow: postLogin function from AuthenticatesUsers trail, I added to AuthController.php postLogin
password reset flow: postEmail and postReset functions from ResetsPassword trail, I added them in PasswordController.php
2) update users set email = lower(email);
3) For me this is easy because I create all users myself (my site is just for family)- but you'd do something similar in the auth flow
Hope this helps!
We are using a query as follows:
FROM users u INNER JOIN FETCH u.roles where u.password='" + password + "'" + " AND u.username='" + username + "'";
To prevent sql-injection, we are using regular expression to filter "username" and only allow whitelist of characters such as "^[a-zA-Z0-9]*$" and for "password" field we are using the check such as,
if(password.indexOf("'") != -1) { Sql injection attack }
Is there any ways for attackers to bypass the checks we have used to launch successful sql-injection attack?
We are using MySql v5.1
Thanks,
Seeing as it seems the moderators don't approve of me telling you to improve your code, the answer is simply "Yes, there is a flaw in the above code".
on my website I have a comment section. I want to filter and validate the input before I store it in my database. If there are any invalid chars in the input the user gets the notice that his input is invalid.
My question, which chars are not allowed? e.g. I want to avoid sql injections
Tags are not allowed. How do I check that?
If you are using Zend_Db and parameterised queries (i.e.: $adapter->insert($tableName, array('param' => 'value'))) then it will automagically escape everything for you.
If however you want to further validate the user input, have a look at Zend_Validate and Zend_Filter
Also, if by "tags" you mean HTML tags, I wouldn't do anything to those on input but do make sure you properly escape / strip them on output (have a look at htmlspecialchars())
If you want to display an error message if the input contains HTML tags, and assuming $comment is the comment body, you could try:
if(strip_tags($comment) !== $comment) {
// It seems it contained some html tags
}