Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Michael Coles Updated SQL Injection RE: Updated SQL Injection

  • September 21, 2005 at 7:17 am

    #591734

    How about a .Net code example of the validation to which you allude (username character limits)?

    It would been more helpful if you mentioned the use of .Net validators and gave a code example.  For instance, you might include a validator that requires a password.

    How about a TSQL code example of the validation to which you allude (username character limits)?

    Excellent example of a reason for restricting access to only stored procs and not tables. kudos.

    You might hash both the username and password field data and send it to the stored proc or at least the password field data.

    If you are concerned about man-in-the-middle attacks/sniffers, you might send some special data back from the stored proc, such as the hash of username & password & datetime (fuzzy).

    MD5 is no longer considered a trustworthy hash by NIST:

    http://www.codeproject.com/useritems/GoodbyeMD5.asp

    a better recommendation is SHA-256 (or stronger).