How to protect the admin login page from SQL Injection.


Published on

This tutorial is on basics of web application and to secure them using client side JavaScript validation through Regular Expression from SQL Injection.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How to protect the admin login page from SQL Injection.

  1. 1. Web Application--------------------------------Website----------------A website is platform to present information about a company (or organization), anindividual etc.Essentially, it is a collection of documents known as webpages that contain information:images, words, digital media, and alike.Types of websites--------------------------------Static websites: - Static Websites can be defined as those which are not database driven.They can be developed by basic knowledge of web technologies like HTML and CSS. Theypresent the information to the users/visitor in the most direct way as it is stored on the webserver. These website do not have any control panel. They are driven through FTP clientsthat connect to the host server. A simple example of a static website could be anorganization website providing details about its portfolio, contacts, resources, projects etc.Dynamic websites: - Dynamic websites can be defined as those that require database tostore and retrieve the information. They have features such as insert new data, fetch data,update/modify data, and delete data etc. which are not present in the static websites. Thesewebsites have a control panels through which the administrator can make changes as perthe requirement. Some of the most popular enterprise database used are: - Oracle, MySQL,SQL Server, DB2 etc.Parts of web application-----------------------------------------Front end: It is that part of the web site which a user can see and interact.Back end: Also called as back-end technology infrastructure consists of an application, adatabase and a server. All the data is stored in the database.SQL (Structured Query Language)------------------------------------------------It is a standard programming languages designed to interact with the database.With the help of SQL the data from the front end is stored into the back-end. Similarly, thedata from the back-end is retrieved and presented at the front-end.
  2. 2. Admin Login Page------------------------------It is the page where the administrator enters the control panel of the website to makechanges. Generally the link for admin panel are as follows:-"adminlogin.php" "admin/login.php" "administrator.php" "login/admin.php""adminlogin.asp" "admin/login.asp" "adminstrator.asp" "login/admin.asp""adminlogin.aspx" "admin/login.aspx" "adminstrator.aspx" "login/admin.aspx"How to target admin login page?-----------------------------------------------------Login with random username and password:------------------------------------------------------------------------Username =========> hackerPassword ==========>pass1234LOGIN
  3. 3. Simple check deployed behind most of the websites:----------------------------------------------------------------------------------if username.text ="xyz" and password.text="pass""Invalid username or password.")The above method is highly unsecured since it just checks the conditions to be true, it doesnot validate the entered username and password.-Any true condition can be used to hack into the website.Example: ‘or’ ‘=’, ‘1=1’ etc.-It is called condition based matching.-Secured way can be using Stored Procedure.Random Attacking------------------------------Go to  adminlogin.aspxTarget Based site: site: adminloginHow to protect the attack?------------------------------------------- Never use traditional name for admin page.Use page like: xyz@c3r.php Always use Email or Numeric character as username. Filter the special character at the client end. Do have fake messages for hackers.
  4. 4. The following script can prevent SQL injection attacks on a web application.---------------------------------------------------------------------------------------------------------------------
  5. 5. Checking the working of the above script.----------------------------------------------------------------