There's a booboo in the wording of the most current Defense In Depth article
about user input. 100% my mistake!!

change the SQL text example to:

if (isPasswordOK(Request.form("name"),Request.form("pwd"))) {
Response.write("Authenticated!");
// Do stuff
} else {
Response.write("Access Denied");
}

function isPasswordOK(strName, strPwd) {
var fAllowLogon = false;
var oConn = new ActiveXObject("ADODB.Connection");
var strConnection="Data Source=c:\\auth\\auth.mdb;"
oConn.Open(strConnection);
var strSQL = "SELECT count(*) FROM client WHERE " +
"name='" + strName + "' " +
" and pwd='" + strPwd + "'";
var oRS = new ActiveXObject("ADODB.RecordSet");
oRS.Open(strSQL,oConn);
fAllowLogon = (oRS(0).Value > 0) ? true : false;
oRS.Close();
delete oRS;
oConn.Close();
delete oConn;
return fAllowLogon;
}

vulnerable input includes:

name == b' or '1' = '1
pwd == b' or '1' = '1

which yields:

SELECT count(*)
FROM client
WHERE name='b' or '1'='1' and pwd='b' or '1'='1'

apologies for the inconvenience...

Shouldn't that line be changed to point to the file based on the location of
the ASP page? That way if someone sees the source it doesn't give them any
knowledge about how the server is set up.

Then again access DBs aren't as secure as SQL so...
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3a77578c@news.devx.com...
> var strConnection="Data Source=c:\\auth\\auth.mdb;"

absolutely!! this is just a sample...!

"Eli Allen" <eallen@bcpl.net> wrote:
>Shouldn't that line be changed to point to the file based on the location
of
>the ASP page? That way if someone sees the source it doesn't give them
any
>knowledge about how the server is set up.
>
>Then again access DBs aren't as secure as SQL so...
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:3a77578c@news.devx.com...
>> var strConnection="Data Source=c:\\auth\\auth.mdb;"
>
>
>