Click here to Skip to main content
14,976,254 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more: , +
Hi all,

I'm pretty new to this but my login system is still allowing SQL Injection. I can type in the user name 'a'='a' and same for the password and it'll log me in. I was wondering if something is wrong with my stored procedure. Thanks for the advice.

SQL
CREATE PROCEDURE Admin_Login (	IN	p_username	VARCHAR(20),
				IN	p_password	VARCHAR(20),
				OUT	p_auth		CHAR(1))

Language SQL

------------------------------------------------------------------------
-- SQL Stored Procedure 
------------------------------------------------------------------------
P1: BEGIN

DECLARE	v_username	VARCHAR(20);
DECLARE v_password	VARCHAR(20);
DECLARE v_auth		CHAR(1) DEFAULT '0';

SELECT 	ADMIN_EMAIL,
	ADMIN_PASSWORD
INTO 	v_username,
	v_password
FROM	ADMIN
WHERE	ADMIN_EMAIL = p_username
AND	ADMIN_PASSWORD = p_password;

IF	v_username = p_username AND v_password = p_password THEN
	SET	p_auth = '1';
ELSE
	SET	p_auth = '0';
END IF;

END P1
Posted

1 solution

First of all, why not simply checking if a user exists with the current username and password using the EXISTS[^] function?
SQL
IF EXISTS(SELECT ADMIN_EMAIL, ADMIN_PASSWORD FROM ADMIN WHERE ADMIN_EMAIL = p_username AND ADMIN_PASSWORD = p_password)
BEGIN
   -- User exists
END
ELSE
BEGIN
   -- User not found
END

Calling every user ADMIN seems kind of weird by the way...
Anyway, this would only work if you store passwords unencrypted! And that's never a good idea... Especially when you know you're vulnerable to SQL Injection! (Remind me never to create an account on any software you've written...).
Here's a good article about encrypting passwords: The Art & Science of Storing Passwords[^]
You didn't specify any languages in your post, except SQL. But I think you can learn a lot from this article and most people are able to read C#, so I think you'll manage.
Hope it helps.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900