Login1_LoggingIn SQL Injection Idea?

The purpose is checking the ASP Login control for SQL chars using the codebehind. I would like to know the pro & con of my posted code idea below. Note: I read conflicting reports concerning the security of the textbox input, whereas some say it protected internaly while others say not secure. I would rather know than guess...

1. Check email with regex @ (limited for example sake)
2. Check both email and password for typical SQL injection chars (; -- + * ' %)

protected void Login1_LoggingIn(object sender, LoginCancelEventArgs e)
    {
        if (!Regex.IsMatch(Login1.UserName, "@";
            | Regex.IsMatch(Login1.UserName, ";|--|\+|\*|'|%"))
        {
            label1.Text = "Invalid Email Characters!";
            e.Cancel = true;
            return;
        }

        if (Regex.IsMatch(Login1.Password, @";|--|\+|\*|'|%"))
        {
            label1.Text = "Invalid Password Characters!";
            e.Cancel = true;
            return;
        }
    }
pointemanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nathan BoveSoftware EngineerCommented:
The login control itself is neither secure nor vulnerable to sql injection.  A login control simply passes authentication credentials to a membership provider and waits for the provider to return if the credentials were valid or not.  The underlying membership provider may or may not be vulnerable to sql injection.

As for performing a regex to filter out certain characters, I find that to be largely uneeded as long as you are using parameterized sql instead of concatenated sql strings.  The drawback to filtering with Regex is that users can no longer use those special characters in their passwords, which slightly weakens your password strength.
0
pointemanAuthor Commented:
I've used parameterized sql with ordinary insert statements. However the Login control seems to be a little out-of-control seeing that it processes the textbox input via hidden code.

Q. How can I implement 'parameterized sql' using a Login control?
0
Nathan BoveSoftware EngineerCommented:
A: Implement your own membership provider.

The following link shows a sample custom ODBC membership provider, but you could adapt the code to provide membership from any source:
http://msdn.microsoft.com/en-us/library/6tc47t75.aspx

This link shows how to use a custom membership provider in an ASP.NET web application:
http://msdn.microsoft.com/en-us/library/44w5aswa.aspx
0
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

pointemanAuthor Commented:
Too much like reinventing the wheel. I think MS dropped-the-ball on the Login control. However, the 'passwordStrengthRegularExpression' in the web.config can be used like so:

http://msdn.microsoft.com/en-us/library/system.web.security.membership.passwordstrengthregularexpression.aspx

<membership defaultProvider="SqlProvider"
  userIsOnlineTimeWindow = "20>
  <providers>
    <add
      name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="SqlServices"
      requiresQuestionAndAnswer="true"
      passwordStrengthRegularExpression=" @\"(?=.{6,})(?=(.*\d){1,})(?=(.*\W){1,})" />
   </providers>
</membership>
0
Nathan BoveSoftware EngineerCommented:
The property you are referring to will prevent users from having certain characters in their password, but it will not prevent users from attempting sql injection attacks.  If you want to prevent sql injection, your best bet is to implement your own membership provider and use parameterized sql.
0
pointemanAuthor Commented:
>>The property you are referring to...

Agreed! Using the passwordStrengthRegularExpression and other <membership> provider properties are probably more than adequate to protect logins.

>>use parameterized sql....

Refering to the link you posted earlier (below). I'm just speculating, but it's probably the actual code used by the Login control and MS has simply posted it. I noticed the use of 'cmd.Parameters.Add' throughout the example. Both .NET 4 and 3.5 use the same code.

http://msdn.microsoft.com/en-us/library/44w5aswa.aspx

 




0
Nathan BoveSoftware EngineerCommented:
You are probably correct, but unless you want to spend some hours digging through the MSIL of the microsoft DLLs, then you won't know for sure.  Perhaps it is just me, but I would prefer not to base my security on speculation and assumptions.  In the time you would spend digging through and finding the answer, you could just write your own membership provider and not have to worry about it.  

In short:  If you want to know for sure what is happening under the covers, write it yourself.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pointemanAuthor Commented:
Agreed!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.