Email password script

P

Paul M

Hi
First of all thankyou Thomas and Stefan for helping with the sql injection
on password protecting pages I have now solved it. But I have found another
security issue
The script below sends a user there username and password to there email.
How can I add some serverside script to stop any sql injection attacking the
database from this angle
Thanks Paul M

This is above the head
<%@ LANGUAGE="VBSCRIPT" %>
<% Option Explicit %>
<%
Dim DATA_PATH, objDC, objRS, email, user, pass, sendmail
'Maps to database. Change to your database path.
DATA_PATH=Server.Mappath("fpdb/databasesearch.mdb")
' Create and establish data connection
Set objDC = Server.CreateObject("ADODB.Connection")
objDC.ConnectionTimeout = 15
objDC.CommandTimeout = 30
objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver (*.mdb)};
DriverId=25;MaxBufferSize=8192;Threads=20;", "admin", "password"
Set objRS = Server.CreateObject("ADODB.Recordset")
email=request.form("email")
'you may need to adjust this to suit your database
objRS.Open "SELECT * FROM Results WHERE email = '" & email & "'", objDC, 0,
1
%>

and this is in the body

'checks if email address exists in the database before sending a message.
if objrs.EOF then
%>
<B><font face="Arial" size="2" color="red">Sorry<br>
We can't find this email address <%=email%>. If you are
sure the email address is correct
please contact us for assistance, or click the back
button
to correct it . </font></B>
<% Else %>
<%
'sets variables
email = request.form("email")
'chooses username and password from database that correspond to submitted
email address.
user = objrs.Fields("user_name")
pass = objrs.Fields("pass_word")
Set sendmail = Server.CreateObject("CDONTS.NewMail")
'put the webmaster address here
sendmail.From = "(e-mail address removed)"
'The mail is sent to the address entered in the previous page.
sendmail.To = email
'Enter the subject of your mail here
sendmail.Subject = "The marketing for Good Login Information You Requested"
'This is the content of thr message.
sendmail.Body = "Hi. Here are your login details needed to search for
Projects in the Database." & vbCrlf & vbCrlf _
& "Username=" & user & vbCrlf _
& "Password=" & pass & vbCrlf
'this sets mail priority.... 0=low 1=normal 2=high
sendmail.Importance = 2
sendmail.Send
%><font face="Arial" size="2" color="#808080">
Your login information has been mailed to
<%=email%>.<br>
You should receive it shortly.
<%
' Close Data Access Objects and free DB variables
objDC.Close
Set objRS = Nothing
Set objDC = Nothing
Set sendmail = Nothing
%>
<%end if%>
 
P

Paul M

Have I solved it Thomas
I have modified a line of code you gave me
email=request.form("email") with yours email =
Trim(Replace(Request.Form("email"), "'", "''"))
Now when I input ' or 'a'='a into the enter email field I get a message
saying We can't find this email address '' or ''a''=''a. when I used to
get a message saying we have email your info to ' or 'a'='a
so I presume this means that your code is working here
Paul M
 
T

Thomas A. Rowe

Make sure that you are not using the email address entered for validation to actually send the login
info to, only use the email address that you retrieve from the database to actually send the email.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
P

Paul M

Thanks Thomas
Can you see where the email to send is coming from in my original post?
Paul M
 
T

Thomas A. Rowe

Yes, the script is using the email address enter by the user on the form, this needs to be change to
use the email address from the database.


email = request.form("email")
'chooses username and password from database that correspond to
submitted email address.
user = objrs.Fields("user_name")
pass = objrs.Fields("pass_word")

change to:

email = objrs.Fields("email")
'chooses username and password from database that correspond to
submitted email address.
user = objrs.Fields("user_name")
pass = objrs.Fields("pass_word")


==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
 
S

Stefan B Rusynko

PS
Paul should also definitely change the DB user/pwrd from the defaults to something more complex

Right now the DB is "protected" by the silly defaults of "admin", "password" in:

objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver (*.mdb)}; DriverId=25;MaxBufferSize=8192;Threads=20;", "admin",
"password"




| Yes, the script is using the email address enter by the user on the form, this needs to be change to
| use the email address from the database.
|
|
| email = request.form("email")
| 'chooses username and password from database that correspond to
| submitted email address.
| user = objrs.Fields("user_name")
| pass = objrs.Fields("pass_word")
|
| change to:
|
| email = objrs.Fields("email")
| 'chooses username and password from database that correspond to
| submitted email address.
| user = objrs.Fields("user_name")
| pass = objrs.Fields("pass_word")
|
|
| ==============================================
| Thomas A. Rowe (Microsoft MVP - FrontPage)
| ==============================================
| If you feel your current issue is a results of installing
| a Service Pack or security update, please contact
| Microsoft Product Support Services:
| http://support.microsoft.com
| If the problem can be shown to have been caused by a
| security update, then there is usually no charge for the call.
| ==============================================
|
| > Thanks Thomas
| > Can you see where the email to send is coming from in my original post?
| > Paul M
| >> Have I solved it Thomas
| >> I have modified a line of code you gave me
| >> email=request.form("email") with yours email = Trim(Replace(Request.Form("email"), "'",
| >> "''"))
| >> Now when I input ' or 'a'='a into the enter email field I get a message saying We can't find
| >> this email address '' or ''a''=''a. when I used to get a message saying we have email your info
| >> to ' or 'a'='a
| >> so I presume this means that your code is working here
| >> Paul M
| >>
| >> | >>> Hi
| >>> First of all thankyou Thomas and Stefan for helping with the sql injection on password
| >>> protecting pages I have now solved it. But I have found another security issue
| >>> The script below sends a user there username and password to there email.
| >>> How can I add some serverside script to stop any sql injection attacking the database from this
| >>> angle
| >>> Thanks Paul M
| >>>
| >>> This is above the head
| >>> <%@ LANGUAGE="VBSCRIPT" %>
| >>> <% Option Explicit %>
| >>> <%
| >>> Dim DATA_PATH, objDC, objRS, email, user, pass, sendmail
| >>> 'Maps to database. Change to your database path.
| >>> DATA_PATH=Server.Mappath("fpdb/databasesearch.mdb")
| >>> ' Create and establish data connection
| >>> Set objDC = Server.CreateObject("ADODB.Connection")
| >>> objDC.ConnectionTimeout = 15
| >>> objDC.CommandTimeout = 30
| >>> objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver (*.mdb)};
| >>> DriverId=25;MaxBufferSize=8192;Threads=20;", "admin", "password"
| >>> Set objRS = Server.CreateObject("ADODB.Recordset")
| >>> email=request.form("email")
| >>> 'you may need to adjust this to suit your database
| >>> objRS.Open "SELECT * FROM Results WHERE email = '" & email & "'", objDC, 0, 1
| >>> %>
| >>>
| >>> and this is in the body
| >>>
| >>> 'checks if email address exists in the database before sending a message.
| >>> if objrs.EOF then
| >>> %>
| >>> <B><font face="Arial" size="2" color="red">Sorry<br>
| >>> We can't find this email address <%=email%>. If you are sure the email
| >>> address is correct
| >>> please contact us for assistance, or click the back button
| >>> to correct it . </font></B>
| >>> <% Else %>
| >>> <%
| >>> 'sets variables
| >>> email = request.form("email")
| >>> 'chooses username and password from database that correspond to submitted email address.
| >>> user = objrs.Fields("user_name")
| >>> pass = objrs.Fields("pass_word")
| >>> Set sendmail = Server.CreateObject("CDONTS.NewMail")
| >>> 'put the webmaster address here
| >>> sendmail.From = "(e-mail address removed)"
| >>> 'The mail is sent to the address entered in the previous page.
| >>> sendmail.To = email
| >>> 'Enter the subject of your mail here
| >>> sendmail.Subject = "The marketing for Good Login Information You Requested"
| >>> 'This is the content of thr message.
| >>> sendmail.Body = "Hi. Here are your login details needed to search for Projects in the Database."
| >>> & vbCrlf & vbCrlf _
| >>> & "Username=" & user & vbCrlf _
| >>> & "Password=" & pass & vbCrlf
| >>> 'this sets mail priority.... 0=low 1=normal 2=high
| >>> sendmail.Importance = 2
| >>> sendmail.Send
| >>> %><font face="Arial" size="2" color="#808080">
| >>> Your login information has been mailed to <%=email%>.<br>
| >>> You should receive it shortly.
| >>> <%
| >>> ' Close Data Access Objects and free DB variables
| >>> objDC.Close
| >>> Set objRS = Nothing
| >>> Set objDC = Nothing
| >>> Set sendmail = Nothing
| >>> %>
| >>> <%end if%>
| >>>
| >>>
| >>>
| >>>
| >>>
| >>
| >>
| >
| >
|
|
 
P

Paul M

Thanks Stefan
So can I just change them to something else in this one place ie
objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver (*.mdb)};
DriverId=25;MaxBufferSize=8192;Threads=20;", "some word", "some word"

or do I have to change them somewhere else as well
Paul M
 
S

Stefan B Rusynko

You can only change it to a valid User Name/Group and Password as set in the DB in Access under Tools Security

The user "admin" is the default User for User Group "admins"
The password "password" is the default one for the admin user

Therefore, if you are going to use it at all, create a new user and strong password
-





| Thanks Stefan
| So can I just change them to something else in this one place ie
| objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver (*.mdb)};
| DriverId=25;MaxBufferSize=8192;Threads=20;", "some word", "some word"
|
| or do I have to change them somewhere else as well
| Paul M
|
|
| | > PS
| > Paul should also definitely change the DB user/pwrd from the defaults to
| > something more complex
| >
| > Right now the DB is "protected" by the silly defaults of "admin",
| > "password" in:
| >
| > objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > (*.mdb)}; DriverId=25;MaxBufferSize=8192;Threads=20;", "admin",
| > "password"
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Yes, the script is using the email address enter by the user on the
| > form, this needs to be change to
| > | use the email address from the database.
| > |
| > |
| > | email = request.form("email")
| > | 'chooses username and password from database that correspond to
| > | submitted email address.
| > | user = objrs.Fields("user_name")
| > | pass = objrs.Fields("pass_word")
| > |
| > | change to:
| > |
| > | email = objrs.Fields("email")
| > | 'chooses username and password from database that correspond to
| > | submitted email address.
| > | user = objrs.Fields("user_name")
| > | pass = objrs.Fields("pass_word")
| > |
| > |
| > | ==============================================
| > | Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | ==============================================
| > | If you feel your current issue is a results of installing
| > | a Service Pack or security update, please contact
| > | Microsoft Product Support Services:
| > | http://support.microsoft.com
| > | If the problem can be shown to have been caused by a
| > | security update, then there is usually no charge for the call.
| > | ==============================================
| > |
| > | > | > Thanks Thomas
| > | > Can you see where the email to send is coming from in my original
| > post?
| > | > Paul M
| > | > | >> Have I solved it Thomas
| > | >> I have modified a line of code you gave me
| > | >> email=request.form("email") with yours email =
| > Trim(Replace(Request.Form("email"), "'",
| > | >> "''"))
| > | >> Now when I input ' or 'a'='a into the enter email field I get a
| > message saying We can't find
| > | >> this email address '' or ''a''=''a. when I used to get a message
| > saying we have email your info
| > | >> to ' or 'a'='a
| > | >> so I presume this means that your code is working here
| > | >> Paul M
| > | >>
| > | >> | > | >>> Hi
| > | >>> First of all thankyou Thomas and Stefan for helping with the sql
| > injection on password
| > | >>> protecting pages I have now solved it. But I have found another
| > security issue
| > | >>> The script below sends a user there username and password to there
| > email.
| > | >>> How can I add some serverside script to stop any sql injection
| > attacking the database from this
| > | >>> angle
| > | >>> Thanks Paul M
| > | >>>
| > | >>> This is above the head
| > | >>> <%@ LANGUAGE="VBSCRIPT" %>
| > | >>> <% Option Explicit %>
| > | >>> <%
| > | >>> Dim DATA_PATH, objDC, objRS, email, user, pass, sendmail
| > | >>> 'Maps to database. Change to your database path.
| > | >>> DATA_PATH=Server.Mappath("fpdb/databasesearch.mdb")
| > | >>> ' Create and establish data connection
| > | >>> Set objDC = Server.CreateObject("ADODB.Connection")
| > | >>> objDC.ConnectionTimeout = 15
| > | >>> objDC.CommandTimeout = 30
| > | >>> objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > (*.mdb)};
| > | >>> DriverId=25;MaxBufferSize=8192;Threads=20;", "admin", "password"
| > | >>> Set objRS = Server.CreateObject("ADODB.Recordset")
| > | >>> email=request.form("email")
| > | >>> 'you may need to adjust this to suit your database
| > | >>> objRS.Open "SELECT * FROM Results WHERE email = '" & email & "'",
| > objDC, 0, 1
| > | >>> %>
| > | >>>
| > | >>> and this is in the body
| > | >>>
| > | >>> 'checks if email address exists in the database before sending a
| > message.
| > | >>> if objrs.EOF then
| > | >>> %>
| > | >>> <B><font face="Arial" size="2"
| > color="red">Sorry<br>
| > | >>> We can't find this email address <%=email%>. If
| > you are sure the email
| > | >>> address is correct
| > | >>> please contact us for assistance, or click the
| > back button
| > | >>> to correct it . </font></B>
| > | >>> <% Else %>
| > | >>> <%
| > | >>> 'sets variables
| > | >>> email = request.form("email")
| > | >>> 'chooses username and password from database that correspond to
| > submitted email address.
| > | >>> user = objrs.Fields("user_name")
| > | >>> pass = objrs.Fields("pass_word")
| > | >>> Set sendmail = Server.CreateObject("CDONTS.NewMail")
| > | >>> 'put the webmaster address here
| > | >>> sendmail.From = "(e-mail address removed)"
| > | >>> 'The mail is sent to the address entered in the previous page.
| > | >>> sendmail.To = email
| > | >>> 'Enter the subject of your mail here
| > | >>> sendmail.Subject = "The marketing for Good Login Information You
| > Requested"
| > | >>> 'This is the content of thr message.
| > | >>> sendmail.Body = "Hi. Here are your login details needed to search
| > for Projects in the Database."
| > | >>> & vbCrlf & vbCrlf _
| > | >>> & "Username=" & user & vbCrlf _
| > | >>> & "Password=" & pass & vbCrlf
| > | >>> 'this sets mail priority.... 0=low 1=normal 2=high
| > | >>> sendmail.Importance = 2
| > | >>> sendmail.Send
| > | >>> %><font face="Arial" size="2" color="#808080">
| > | >>> Your login information has been mailed to
| > <%=email%>.<br>
| > | >>> You should receive it shortly.
| > | >>> <%
| > | >>> ' Close Data Access Objects and free DB variables
| > | >>> objDC.Close
| > | >>> Set objRS = Nothing
| > | >>> Set objDC = Nothing
| > | >>> Set sendmail = Nothing
| > | >>> %>
| > | >>> <%end if%>
| > | >>>
| > | >>>
| > | >>>
| > | >>>
| > | >>>
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 
P

Paul M

Thanks Stefan
This line confuses me a bit because when I use the DRW DIW it doesn't ask
for this info. what are the implications of not using it
Paul M
Stefan B Rusynko said:
You can only change it to a valid User Name/Group and Password as set in
the DB in Access under Tools Security

The user "admin" is the default User for User Group "admins"
The password "password" is the default one for the admin user

Therefore, if you are going to use it at all, create a new user and strong
password
-





| Thanks Stefan
| So can I just change them to something else in this one place ie
| objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
(*.mdb)};
| DriverId=25;MaxBufferSize=8192;Threads=20;", "some word", "some word"
|
| or do I have to change them somewhere else as well
| Paul M
|
|
| | > PS
| > Paul should also definitely change the DB user/pwrd from the defaults
to
| > something more complex
| >
| > Right now the DB is "protected" by the silly defaults of "admin",
| > "password" in:
| >
| > objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > (*.mdb)}; DriverId=25;MaxBufferSize=8192;Threads=20;", "admin",
| > "password"
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Yes, the script is using the email address enter by the user on the
| > form, this needs to be change to
| > | use the email address from the database.
| > |
| > |
| > | email = request.form("email")
| > | 'chooses username and password from database that correspond to
| > | submitted email address.
| > | user = objrs.Fields("user_name")
| > | pass = objrs.Fields("pass_word")
| > |
| > | change to:
| > |
| > | email = objrs.Fields("email")
| > | 'chooses username and password from database that correspond to
| > | submitted email address.
| > | user = objrs.Fields("user_name")
| > | pass = objrs.Fields("pass_word")
| > |
| > |
| > | ==============================================
| > | Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | ==============================================
| > | If you feel your current issue is a results of installing
| > | a Service Pack or security update, please contact
| > | Microsoft Product Support Services:
| > | http://support.microsoft.com
| > | If the problem can be shown to have been caused by a
| > | security update, then there is usually no charge for the call.
| > | ==============================================
| > |
| > | > | > Thanks Thomas
| > | > Can you see where the email to send is coming from in my original
| > post?
| > | > Paul M
| > | > | >> Have I solved it Thomas
| > | >> I have modified a line of code you gave me
| > | >> email=request.form("email") with yours email =
| > Trim(Replace(Request.Form("email"), "'",
| > | >> "''"))
| > | >> Now when I input ' or 'a'='a into the enter email field I get
a
| > message saying We can't find
| > | >> this email address '' or ''a''=''a. when I used to get a
message
| > saying we have email your info
| > | >> to ' or 'a'='a
| > | >> so I presume this means that your code is working here
| > | >> Paul M
| > | >>
| > | >> | > | >>> Hi
| > | >>> First of all thankyou Thomas and Stefan for helping with the sql
| > injection on password
| > | >>> protecting pages I have now solved it. But I have found another
| > security issue
| > | >>> The script below sends a user there username and password to
there
| > email.
| > | >>> How can I add some serverside script to stop any sql injection
| > attacking the database from this
| > | >>> angle
| > | >>> Thanks Paul M
| > | >>>
| > | >>> This is above the head
| > | >>> <%@ LANGUAGE="VBSCRIPT" %>
| > | >>> <% Option Explicit %>
| > | >>> <%
| > | >>> Dim DATA_PATH, objDC, objRS, email, user, pass, sendmail
| > | >>> 'Maps to database. Change to your database path.
| > | >>> DATA_PATH=Server.Mappath("fpdb/databasesearch.mdb")
| > | >>> ' Create and establish data connection
| > | >>> Set objDC = Server.CreateObject("ADODB.Connection")
| > | >>> objDC.ConnectionTimeout = 15
| > | >>> objDC.CommandTimeout = 30
| > | >>> objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access
Driver
| > (*.mdb)};
| > | >>> DriverId=25;MaxBufferSize=8192;Threads=20;", "admin", "password"
| > | >>> Set objRS = Server.CreateObject("ADODB.Recordset")
| > | >>> email=request.form("email")
| > | >>> 'you may need to adjust this to suit your database
| > | >>> objRS.Open "SELECT * FROM Results WHERE email = '" & email &
"'",
| > objDC, 0, 1
| > | >>> %>
| > | >>>
| > | >>> and this is in the body
| > | >>>
| > | >>> 'checks if email address exists in the database before sending a
| > message.
| > | >>> if objrs.EOF then
| > | >>> %>
| > | >>> <B><font face="Arial" size="2"
| > color="red">Sorry<br>
| > | >>> We can't find this email address <%=email%>.
If
| > you are sure the email
| > | >>> address is correct
| > | >>> please contact us for assistance, or click
the
| > back button
| > | >>> to correct it . </font></B>
| > | >>> <% Else %>
| > | >>> <%
| > | >>> 'sets variables
| > | >>> email = request.form("email")
| > | >>> 'chooses username and password from database that correspond
to
| > submitted email address.
| > | >>> user = objrs.Fields("user_name")
| > | >>> pass = objrs.Fields("pass_word")
| > | >>> Set sendmail = Server.CreateObject("CDONTS.NewMail")
| > | >>> 'put the webmaster address here
| > | >>> sendmail.From = "(e-mail address removed)"
| > | >>> 'The mail is sent to the address entered in the previous page.
| > | >>> sendmail.To = email
| > | >>> 'Enter the subject of your mail here
| > | >>> sendmail.Subject = "The marketing for Good Login Information You
| > Requested"
| > | >>> 'This is the content of thr message.
| > | >>> sendmail.Body = "Hi. Here are your login details needed to
search
| > for Projects in the Database."
| > | >>> & vbCrlf & vbCrlf _
| > | >>> & "Username=" & user & vbCrlf _
| > | >>> & "Password=" & pass & vbCrlf
| > | >>> 'this sets mail priority.... 0=low 1=normal 2=high
| > | >>> sendmail.Importance = 2
| > | >>> sendmail.Send
| > | >>> %><font face="Arial" size="2" color="#808080">
| > | >>> Your login information has been mailed to
| > <%=email%>.<br>
| > | >>> You should receive it shortly.
| > | >>> <%
| > | >>> ' Close Data Access Objects and free DB variables
| > | >>> objDC.Close
| > | >>> Set objRS = Nothing
| > | >>> Set objDC = Nothing
| > | >>> Set sendmail = Nothing
| > | >>> %>
| > | >>> <%end if%>
| > | >>>
| > | >>>
| > | >>>
| > | >>>
| > | >>>
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Click to expand...
 
S

Stefan B Rusynko

Nothing,
- just don't believe it is "protecting" anything




| Thanks Stefan
| This line confuses me a bit because when I use the DRW DIW it doesn't ask
| for this info. what are the implications of not using it
| Paul M
| | > You can only change it to a valid User Name/Group and Password as set in
| > the DB in Access under Tools Security
| >
| > The user "admin" is the default User for User Group "admins"
| > The password "password" is the default one for the admin user
| >
| > Therefore, if you are going to use it at all, create a new user and strong
| > password
| > -
| >
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | So can I just change them to something else in this one place ie
| > | objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > (*.mdb)};
| > | DriverId=25;MaxBufferSize=8192;Threads=20;", "some word", "some word"
| > |
| > | or do I have to change them somewhere else as well
| > | Paul M
| > |
| > |
| > | | > | > PS
| > | > Paul should also definitely change the DB user/pwrd from the defaults
| > to
| > | > something more complex
| > | >
| > | > Right now the DB is "protected" by the silly defaults of "admin",
| > | > "password" in:
| > | >
| > | > objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > | > (*.mdb)}; DriverId=25;MaxBufferSize=8192;Threads=20;", "admin",
| > | > "password"
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Yes, the script is using the email address enter by the user on the
| > | > form, this needs to be change to
| > | > | use the email address from the database.
| > | > |
| > | > |
| > | > | email = request.form("email")
| > | > | 'chooses username and password from database that correspond to
| > | > | submitted email address.
| > | > | user = objrs.Fields("user_name")
| > | > | pass = objrs.Fields("pass_word")
| > | > |
| > | > | change to:
| > | > |
| > | > | email = objrs.Fields("email")
| > | > | 'chooses username and password from database that correspond to
| > | > | submitted email address.
| > | > | user = objrs.Fields("user_name")
| > | > | pass = objrs.Fields("pass_word")
| > | > |
| > | > |
| > | > | ==============================================
| > | > | Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | ==============================================
| > | > | If you feel your current issue is a results of installing
| > | > | a Service Pack or security update, please contact
| > | > | Microsoft Product Support Services:
| > | > | http://support.microsoft.com
| > | > | If the problem can be shown to have been caused by a
| > | > | security update, then there is usually no charge for the call.
| > | > | ==============================================
| > | > |
| > | > | > | > | > Thanks Thomas
| > | > | > Can you see where the email to send is coming from in my original
| > | > post?
| > | > | > Paul M
| > | > | > | > | >> Have I solved it Thomas
| > | > | >> I have modified a line of code you gave me
| > | > | >> email=request.form("email") with yours email =
| > | > Trim(Replace(Request.Form("email"), "'",
| > | > | >> "''"))
| > | > | >> Now when I input ' or 'a'='a into the enter email field I get
| > a
| > | > message saying We can't find
| > | > | >> this email address '' or ''a''=''a. when I used to get a
| > message
| > | > saying we have email your info
| > | > | >> to ' or 'a'='a
| > | > | >> so I presume this means that your code is working here
| > | > | >> Paul M
| > | > | >>
| > | > | >> | > | > | >>> Hi
| > | > | >>> First of all thankyou Thomas and Stefan for helping with the sql
| > | > injection on password
| > | > | >>> protecting pages I have now solved it. But I have found another
| > | > security issue
| > | > | >>> The script below sends a user there username and password to
| > there
| > | > email.
| > | > | >>> How can I add some serverside script to stop any sql injection
| > | > attacking the database from this
| > | > | >>> angle
| > | > | >>> Thanks Paul M
| > | > | >>>
| > | > | >>> This is above the head
| > | > | >>> <%@ LANGUAGE="VBSCRIPT" %>
| > | > | >>> <% Option Explicit %>
| > | > | >>> <%
| > | > | >>> Dim DATA_PATH, objDC, objRS, email, user, pass, sendmail
| > | > | >>> 'Maps to database. Change to your database path.
| > | > | >>> DATA_PATH=Server.Mappath("fpdb/databasesearch.mdb")
| > | > | >>> ' Create and establish data connection
| > | > | >>> Set objDC = Server.CreateObject("ADODB.Connection")
| > | > | >>> objDC.ConnectionTimeout = 15
| > | > | >>> objDC.CommandTimeout = 30
| > | > | >>> objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access
| > Driver
| > | > (*.mdb)};
| > | > | >>> DriverId=25;MaxBufferSize=8192;Threads=20;", "admin", "password"
| > | > | >>> Set objRS = Server.CreateObject("ADODB.Recordset")
| > | > | >>> email=request.form("email")
| > | > | >>> 'you may need to adjust this to suit your database
| > | > | >>> objRS.Open "SELECT * FROM Results WHERE email = '" & email &
| > "'",
| > | > objDC, 0, 1
| > | > | >>> %>
| > | > | >>>
| > | > | >>> and this is in the body
| > | > | >>>
| > | > | >>> 'checks if email address exists in the database before sending a
| > | > message.
| > | > | >>> if objrs.EOF then
| > | > | >>> %>
| > | > | >>> <B><font face="Arial" size="2"
| > | > color="red">Sorry<br>
| > | > | >>> We can't find this email address <%=email%>.
| > If
| > | > you are sure the email
| > | > | >>> address is correct
| > | > | >>> please contact us for assistance, or click
| > the
| > | > back button
| > | > | >>> to correct it . </font></B>
| > | > | >>> <% Else %>
| > | > | >>> <%
| > | > | >>> 'sets variables
| > | > | >>> email = request.form("email")
| > | > | >>> 'chooses username and password from database that correspond
| > to
| > | > submitted email address.
| > | > | >>> user = objrs.Fields("user_name")
| > | > | >>> pass = objrs.Fields("pass_word")
| > | > | >>> Set sendmail = Server.CreateObject("CDONTS.NewMail")
| > | > | >>> 'put the webmaster address here
| > | > | >>> sendmail.From = "(e-mail address removed)"
| > | > | >>> 'The mail is sent to the address entered in the previous page.
| > | > | >>> sendmail.To = email
| > | > | >>> 'Enter the subject of your mail here
| > | > | >>> sendmail.Subject = "The marketing for Good Login Information You
| > | > Requested"
| > | > | >>> 'This is the content of thr message.
| > | > | >>> sendmail.Body = "Hi. Here are your login details needed to
| > search
| > | > for Projects in the Database."
| > | > | >>> & vbCrlf & vbCrlf _
| > | > | >>> & "Username=" & user & vbCrlf _
| > | > | >>> & "Password=" & pass & vbCrlf
| > | > | >>> 'this sets mail priority.... 0=low 1=normal 2=high
| > | > | >>> sendmail.Importance = 2
| > | > | >>> sendmail.Send
| > | > | >>> %><font face="Arial" size="2" color="#808080">
| > | > | >>> Your login information has been mailed to
| > | > <%=email%>.<br>
| > | > | >>> You should receive it shortly.
| > | > | >>> <%
| > | > | >>> ' Close Data Access Objects and free DB variables
| > | > | >>> objDC.Close
| > | > | >>> Set objRS = Nothing
| > | > | >>> Set objDC = Nothing
| > | > | >>> Set sendmail = Nothing
| > | > | >>> %>
| > | > | >>> <%end if%>
| > | > | >>>
| > | > | >>>
| > | > | >>>
| > | > | >>>
| > | > | >>>
| > | > | >>
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 
P

Paul M

Thanks Stefan
Best wishes
Paul M
Stefan B Rusynko said:
Nothing,
- just don't believe it is "protecting" anything




| Thanks Stefan
| This line confuses me a bit because when I use the DRW DIW it doesn't
ask
| for this info. what are the implications of not using it
| Paul M
| | > You can only change it to a valid User Name/Group and Password as set
in
| > the DB in Access under Tools Security
| >
| > The user "admin" is the default User for User Group "admins"
| > The password "password" is the default one for the admin user
| >
| > Therefore, if you are going to use it at all, create a new user and
strong
| > password
| > -
| >
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks Stefan
| > | So can I just change them to something else in this one place ie
| > | objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > (*.mdb)};
| > | DriverId=25;MaxBufferSize=8192;Threads=20;", "some word", "some
word"
| > |
| > | or do I have to change them somewhere else as well
| > | Paul M
| > |
| > |
| > | | > | > PS
| > | > Paul should also definitely change the DB user/pwrd from the
defaults
| > to
| > | > something more complex
| > | >
| > | > Right now the DB is "protected" by the silly defaults of "admin",
| > | > "password" in:
| > | >
| > | > objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access Driver
| > | > (*.mdb)}; DriverId=25;MaxBufferSize=8192;Threads=20;", "admin",
| > | > "password"
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Yes, the script is using the email address enter by the user on
the
| > | > form, this needs to be change to
| > | > | use the email address from the database.
| > | > |
| > | > |
| > | > | email = request.form("email")
| > | > | 'chooses username and password from database that correspond to
| > | > | submitted email address.
| > | > | user = objrs.Fields("user_name")
| > | > | pass = objrs.Fields("pass_word")
| > | > |
| > | > | change to:
| > | > |
| > | > | email = objrs.Fields("email")
| > | > | 'chooses username and password from database that correspond to
| > | > | submitted email address.
| > | > | user = objrs.Fields("user_name")
| > | > | pass = objrs.Fields("pass_word")
| > | > |
| > | > |
| > | > | ==============================================
| > | > | Thomas A. Rowe (Microsoft MVP - FrontPage)
| > | > | ==============================================
| > | > | If you feel your current issue is a results of installing
| > | > | a Service Pack or security update, please contact
| > | > | Microsoft Product Support Services:
| > | > | http://support.microsoft.com
| > | > | If the problem can be shown to have been caused by a
| > | > | security update, then there is usually no charge for the call.
| > | > | ==============================================
| > | > |
| > | > | > | > | > Thanks Thomas
| > | > | > Can you see where the email to send is coming from in my
original
| > | > post?
| > | > | > Paul M
| > | > | > | > | >> Have I solved it Thomas
| > | > | >> I have modified a line of code you gave me
| > | > | >> email=request.form("email") with yours email =
| > | > Trim(Replace(Request.Form("email"), "'",
| > | > | >> "''"))
| > | > | >> Now when I input ' or 'a'='a into the enter email field I
get
| > a
| > | > message saying We can't find
| > | > | >> this email address '' or ''a''=''a. when I used to get a
| > message
| > | > saying we have email your info
| > | > | >> to ' or 'a'='a
| > | > | >> so I presume this means that your code is working here
| > | > | >> Paul M
| > | > | >>
| > | > | >> | > | > | >>> Hi
| > | > | >>> First of all thankyou Thomas and Stefan for helping with the
sql
| > | > injection on password
| > | > | >>> protecting pages I have now solved it. But I have found
another
| > | > security issue
| > | > | >>> The script below sends a user there username and password
to
| > there
| > | > email.
| > | > | >>> How can I add some serverside script to stop any sql
injection
| > | > attacking the database from this
| > | > | >>> angle
| > | > | >>> Thanks Paul M
| > | > | >>>
| > | > | >>> This is above the head
| > | > | >>> <%@ LANGUAGE="VBSCRIPT" %>
| > | > | >>> <% Option Explicit %>
| > | > | >>> <%
| > | > | >>> Dim DATA_PATH, objDC, objRS, email, user, pass, sendmail
| > | > | >>> 'Maps to database. Change to your database path.
| > | > | >>> DATA_PATH=Server.Mappath("fpdb/databasesearch.mdb")
| > | > | >>> ' Create and establish data connection
| > | > | >>> Set objDC = Server.CreateObject("ADODB.Connection")
| > | > | >>> objDC.ConnectionTimeout = 15
| > | > | >>> objDC.CommandTimeout = 30
| > | > | >>> objDC.Open "DBQ=" & DATA_PATH & ";Driver={Microsoft Access
| > Driver
| > | > (*.mdb)};
| > | > | >>> DriverId=25;MaxBufferSize=8192;Threads=20;", "admin",
"password"
| > | > | >>> Set objRS = Server.CreateObject("ADODB.Recordset")
| > | > | >>> email=request.form("email")
| > | > | >>> 'you may need to adjust this to suit your database
| > | > | >>> objRS.Open "SELECT * FROM Results WHERE email = '" & email &
| > "'",
| > | > objDC, 0, 1
| > | > | >>> %>
| > | > | >>>
| > | > | >>> and this is in the body
| > | > | >>>
| > | > | >>> 'checks if email address exists in the database before
sending a
| > | > message.
| > | > | >>> if objrs.EOF then
| > | > | >>> %>
| > | > | >>> <B><font face="Arial" size="2"
| > | > color="red">Sorry<br>
| > | > | >>> We can't find this email address
<%=email%>.
| > If
| > | > you are sure the email
| > | > | >>> address is correct
| > | > | >>> please contact us for assistance, or
click
| > the
| > | > back button
| > | > | >>> to correct it . </font></B>
| > | > | >>> <% Else %>
| > | > | >>> <%
| > | > | >>> 'sets variables
| > | > | >>> email = request.form("email")
| > | > | >>> 'chooses username and password from database that
correspond
| > to
| > | > submitted email address.
| > | > | >>> user = objrs.Fields("user_name")
| > | > | >>> pass = objrs.Fields("pass_word")
| > | > | >>> Set sendmail = Server.CreateObject("CDONTS.NewMail")
| > | > | >>> 'put the webmaster address here
| > | > | >>> sendmail.From = "(e-mail address removed)"
| > | > | >>> 'The mail is sent to the address entered in the previous
page.
| > | > | >>> sendmail.To = email
| > | > | >>> 'Enter the subject of your mail here
| > | > | >>> sendmail.Subject = "The marketing for Good Login Information
You
| > | > Requested"
| > | > | >>> 'This is the content of thr message.
| > | > | >>> sendmail.Body = "Hi. Here are your login details needed to
| > search
| > | > for Projects in the Database."
| > | > | >>> & vbCrlf & vbCrlf _
| > | > | >>> & "Username=" & user & vbCrlf _
| > | > | >>> & "Password=" & pass & vbCrlf
| > | > | >>> 'this sets mail priority.... 0=low 1=normal 2=high
| > | > | >>> sendmail.Importance = 2
| > | > | >>> sendmail.Send
| > | > | >>> %><font face="Arial" size="2" color="#808080">
| > | > | >>> Your login information has been mailed to
| > | > <%=email%>.<br>
| > | > | >>> You should receive it shortly.
| > | > | >>> <%
| > | > | >>> ' Close Data Access Objects and free DB variables
| > | > | >>> objDC.Close
| > | > | >>> Set objRS = Nothing
| > | > | >>> Set objDC = Nothing
| > | > | >>> Set sendmail = Nothing
| > | > | >>> %>
| > | > | >>> <%end if%>
| > | > | >>>
| > | > | >>>
| > | > | >>>
| > | > | >>>
| > | > | >>>
| > | > | >>
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Forgotten Password script 1
Add field to password logon. 3
ASP Script to Send an email which generates into a HTML format 2
FP2000 - Error with ASP Tell a Friend Script 1
This should be a simple fix... 1
CDO Script with Database 2
Is this CDO as opposed to CDONT 3
Insert Multiple Records into a table with one form 3

Top