secure account details

simonneaves · July 27th, 2005, 08:34 AM

I've been developing with asp and access databases for a short while now, and am starting to work with clients who need to capture customer details such as username, password, email, address, phone etc.

I am not going to store credit card details.

I have not put any particular security measures in place and I need to know whether my systems are adequately secure, particualrly with respect to legal requirements and the data protection act.

The site is not on a secure server. My access database exists in a seperate folder from the web directory, but there is no encryption or password protection on the database, and none of the information that is passed to and from it in my asp scripts is encrypted. My clients will be able to access customer information (as will the clients themselves) via logins which comprise a username and password. The asp script compares unm/pwd info with info in the database and sets a session variable to login.

Can anybody spot any gaping flaws in this system which will render my sites illegal or massively exposed? Can recommend any decent resources which won't involve me wading through masses of obscure legal or techy jargon?

Thanks very much.

So far I have consulted the following:

http://www.webforumz.com/viewtopic.php?t=1701
http://www.webforumz.com/viewtopic.php?t=3721

http://www.developer.com/lang/other/article.php/724731

Smokie · July 27th, 2005, 12:35 PM

You may want to look into "SQL Injection", it a method used by an attacker to insert extra SQL into your SQL by entering a certain string into your username and password boxes, for example:

' or ''='

enter the above into both the username and password box and see if it will log you in.

One easy way to combat this is to replace single quotes with 2 single quotes:

Code:

UserName = Replace(Trim(Request.Form("username")), "'", "''")
PassWord = Replace(Trim(Request.Form("password")), "'", "''")

Also search on google for SQL injection.

simonneaves · July 27th, 2005, 01:03 PM

good one.
Thats a start...!
Thanks Smokie.

Webforumz Staff · July 27th, 2005, 05:24 PM

Other than the SQL injection, as long as the folder the db is in isn't accessible to the public you're in pretty good shape. Maybe turn off detailed error messages, sometimes information shows up in an error that can help people get into places they should be in.

Security is always a balance of how much money/time it takes to improve it versus how important your data is. As you say there isn't CC info, so things like getting a SSL certification probably isn't neccessary.

Webforumz Staff · July 27th, 2005, 09:10 PM

You can (and should) store the password in the database already encrypted and not a raw text password. I believe asp has access to some encryption functions such as md5 and sha_256 or that scripts can be found to do the encryption for you quite easily.

simonneaves · July 28th, 2005, 05:45 AM

Great,

Thanks folks, this is all exactly what I wanted to hear. I shall look into these.

Any other advice or opinions are always welcome.

si.

Rob · July 28th, 2005, 06:12 AM

I can prolly dig out some encryption scripts should you need them.

simonneaves · July 28th, 2005, 06:20 AM

That would be great Rob if it isn't too much hassle,

It would save me a lot of time searching the net.

Rob · July 28th, 2005, 11:41 AM

Here is a function for creating a sha256 one way hash:-
http://pastebin.webforumz.com//view.php?id=26