I'm creating a new stored procedure for user register on my web application. I need to validate user password to be in a format of:
It must contain at least one number or letter
It must contain at least one special character
I need to manage to write this using regex.
This is for a new Database that i have created in SQL server 2017. My database is okay working fine and also my email validation is fine and working.
IF (#password NOT LIKE '%[a-zA-Z0-9]%' OR #password NOT LIKE '%~!##$%^&*()_+-={}[]:"|\;,./<>?''%' OR LEN(#password) < 8)
BEGIN
SET #message = 'Invalid credentials'
RETURN;
END
ELSE
SET #message = 'Success'
RETURN;
END
this is my code so far ad honestly i tried a lot of combinations and still nothing.
I expect the output for a password like !Password123 to be Success but instead i'm still getting "Invalid credentials" and for password like Password123! i am still getting "Invalid credentials"
While it would be ideal to have access to a full regex engine, which would let you write a more robust password check, you actually can handle your requirements using SQL Server's enhanced LIKE operator. The problem I see with your current code is that you are not escaping the square brackets in the second LIKE expression which checks for the presence of a special character. You may tell SQL Server how you plan to escape square brackets using ESCAPE as follows:
DECLARE #password VARCHAR(500);
SET #password = '!Password123';
SELECT 1
WHERE
#password NOT LIKE '%[a-zA-Z0-9]%' OR
#password NOT LIKE '%[~!##$%^&*()_+-={}\[\]:"|\;,./<>?'']%' ESCAPE '\' OR
LEN(#password) < 8;
The above query returns nothing, indicating that !Password123 is a valid password.
Related
I am updating a string in a table using a Firebird SQL statement, with information typed by a user. However, if the string entered by a user has an apostrophe then it creates an error because the SQL syntax no longer reads correctly.
I guess I could read the string and remove all instances of apostrophes, but I wonder if there is an easier way.
{Edit 17 May 2017}
I am using Firebird 2.5 (as part of a software program called Ostendo)
Here is an extract of the code:
UpdatedMsg := frmPOLineNotesMemo.Lines.text;
SQLUpdateStr := 'update ASSEMBLYLINES set LINENOTES = LINENOTES || '''+ UpdatedMsg +''' Where SYSUNIQUEID = ' + AssyPropertyLine + '';
ExecuteSQL(SQLUpdateStr);
frmPOLineNotesMemo.Lines.Text is information entered by the user via a form.
You need to double the apostrophes in the string.
Found here: https://firebirdsql.org/manual/qsg10-firebird-sql.html
However keep in mind the comments. User input should be passed as parameters to avoid security problems.
My H2 database's root user's name is completely blank so when I try to use the password change command on it, but it doesn't work. I receive this error every time I try:
Syntax error in SQL statement "ALTER USER SET PASSWORD[*] 'newpassword'"; expected "SET, RENAME, ADMIN"; SQL statement:
ALTER USER SET PASSWORD 'newpassword' [42001-195] 42001/42001
I think it may be possible to alter it using the user's ID (13) but I have no idea how to go about that. I've also tried putting '' as the user which didn't work.
If the user name is truly blank the following should work:
ALTER USER "" SET PASSWORD 'newPass';
Similarly to change it to a more normal name:
ALTER USER "" RENAME TO WHATEVER;
It's also possible that somebody decided to play an even bigger trick on you and name the user
" "(2 spaces) or some other name that consists of whitespaces, you can check it by copying the name to an editor that can show whitespaces. If this is the case you need to put the name exactly as is in the double quotes.
Try this
ALTER USER user_ID SET PASSWORD 'rioyxlgt'
I am not understanding the sql syntax problems I'm getting while launching an injection attack, so any help explaining them is much appreciated. I have a target php login script that takes a username/password combo and then very simply runs.
Select * FROM users WHERE username='$username' AND password='$password'
When i supply the basic
$username = ' OR '1=1
$password = ' OR '1=1
the system logs me in as admin because it evaluates to
Select * FROM users WHERE username='' OR '1=1' AND password='' OR '1=1'
and gets a match for the first user entry in the database (admin). Now I'm trying to get the script to log me in as an arbitrary user named adrian. My thought was to supply
$username = adrian
$password = ' OR (1=1 AND username='adrian') --
which I thought would evaluate to
Select * FROM users WHERE username='adrian' AND password='' OR (1=1 AND username='adrian') -- '
I thought the boolean order of operations was left to right when no parentheses are included:
Select * FROM users WHERE [[[username='adrian'] AND password=''] OR (1=1 AND username='adrian')] -- '
but this is not logging me in as anyone (and giving me no errors). Even if AND's are evaluated last, this statement would evaluate to
Select * FROM users WHERE [username='adrian'] AND [password='' OR (1=1 AND username='adrian')]
Which would still be true for the user adrian. Meanwhile
$username = adrian
$password = 'or(1=1 and username='adrian') --
is logging me in as adrian properly, which evaluates to
Select * FROM users WHERE username='adrian' AND password=''or(1=1 AND username='adrian') -- '
So why does my approach with "OR" not work while my approach with 'or' does work?
SOLVED: Thank you for the guidance. I understand sql better now, but my real problem was that autofill was removing spaces after the "--" I must've messed up the first time and then foolishly relied on autofill from then on out
The order of operations is not only left to right. In fact left to right (or positional precedence) is the very last thing considered when evaluating an expression like this. You have to understand operator precedence as well, as this is most important aspect in determining behavior of such a statement. In this case AND has higher precedence than OR.
That means your statement would behave as follows:
Select * FROM users WHERE (username='adrian' AND password='') OR (1=1 AND username='adrian')
So, you would get a row returned as long as there was a user named adrian.
Check out the MySQL documentation on operator precendence - https://dev.mysql.com/doc/refman/5.6/en/operator-precedence.html
I have written a query to update a password using MD5. but the new password is not working, as well as the old password also. Below is the query.
UPDATE tbl_user
SET password = HashBytes('MD5', CAST(CHECKSUM('abc') AS varchar(32)))
WHERE login_id = 'user123'
Now when i give abc as a password it doesn't work, when i login to my application.
I'm not sure, never having done something exactly like that, but i think you need to enclose the value of the password HashBytes('MD5', CAST(CHECKSUM('abc') AS varchar(32))) in quotes, as in a normal query you would say
UPDATE tbl_user SET password='complexpassword' WHERE login_id = 'user123'
Oh and you probably ought to remove the brackets around login_id. With the password value not having quotes it does not no where the end of your string is and is probably trying to insert
"HashBytes('MD5', CAST(CHECKSUM('abc') AS varchar(32)))WHERE (login_id = 'user123')" as your password and then finding it has no location info, that or it is recognizing your string and placing it as is in the table, not carrying out the hash.
The easiest thing could be to hash the password before passing it to the query statement. Tell me if that does not work in your situation and if the above fixes do not work.
Here's a very easy question for someone :)
Trying to update an SQL column with the following:
UPDATE [NameOfTable]
SET [HtmlContent] = 'a href="/sell-your-boat/"'
WHERE HtmlID = 123456
But am getting the following error message: Incorrect syntax near '/'.
I know it's because I need to escape the / character but hitting my head against the wall trying to find the answer because I am aware it's probably very simple!
Thank you
You don't need to escape slashes in a string in SQL. The only chracter that you need to escape is apostrophe (').
There is nothing wrong with the query that you are showing, so the only explanation is that the code that you are actually running does not look like that.
It doesn't make sense to have HTML-encoded quotation marks around a href attribute, so my guess is that the HTML code actually looks something like this:
<a href='/sell-your-boat/'>
Any apostrophes in the text would have to be encoded as double apostrophes when you put it in a string literal in the SQL code.
I don't know where the query is executed from, but a parameterised query would be preferrable if possible, as then you don't have to escape the text yourself, you just assign the text to the property value.
Like all the comments above, youd don't need to escape the /
I just did a quick sql test in sql server 2005 and didn't get an error message (see below)
We'll probably need more information than what you provided. Are you running this in Management studio, or is this sql being called in a .NET application, etc...
create table test (htmlid int, htmlcontent varchar(516))
insert into test select 123456 as htmlid, 'test' as htmlcontent
update test
set htmlcontent = 'a href="/sell-your-boat/"'
where htmlid = 123456
select * from test where htmlid = 123456
drop table test
my output
123456 a href="/sell-your-boat/"