Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / October 2005

Tip: Looking for answers? Try searching our database.

vb.net - sp_addlogin (security)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
fasttrack - 23 Oct 2005 22:31 GMT
A problem of security:

From a vb.net form I created the chance to add an SQL Server user with role
as administrator.
To create it, username and password are retrieved from two text box and then
the login is created with:

cmdSQL = "EXEC sp_addlogin '" & txtUser.text & "', '" txtPwd.text & "'"
then the cmdSQL is executed.

Then:
added to Administrator role as follow:
cmdSQL = "EXEC sp_addsrvrolemember '" & txtUser.text & "', ' sysadmin'"
then the cmdSQL is executed.

Everyting works well: user is created in the specified SQL Server and added
to administrator role.

My question is:
Doing so...are there problem of security? Password could be read when
sp_addlogin is executed....?

An encrptyon method must be used?

This is very important because the new user created has administrator
privilege.

Any help or suggestion may be helpful...

Thank
Reply to this Message
Dominick Baier [DevelopMentor] - 24 Oct 2005 01:02 GMT
Hello fasttrack,

yes - sql communication is clear text by default.

enabled SSL on SQL Server to remedy this.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> A problem of security:
>
[quoted text clipped - 26 lines]
>
> Thank
Reply to this Message
carion1 - 27 Oct 2005 07:50 GMT
That is open to SQL injection attacks.  You should escape single quotes in
the input values.

Signature

Derek Davis
ddavis76@gmail.com

>A problem of security:
>
[quoted text clipped - 29 lines]
>
> Thank
Reply to this Message
Alun Jones - 27 Oct 2005 16:24 GMT
> That is open to SQL injection attacks.  You should escape single quotes in
> the input values.

Ah, but then there's the possibility that you might screw up the escaping,
and provide means by which a different injection can occur to your code.

There are better ways to avoid SQL injection - as usual, relying on someone
else to do the work is usually more secure, because they've been doing it
for a while.  So, check out the section on SQL injections in "Writing Secure
Code" by LeBlanc and Howard.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
Signature

Texas Imperial Software   | Find us at http://www.wftpd.com or email
23921 57th Ave SE         | alun@wftpd.com.
Washington WA 98072-8661  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.