none
Active Directory Authentication - Protecting against injection RRS feed

  • Question

  • Hi,

    I have a C# script which authenticates a user on our domain. I won't go into all the detail but the purpose of it is to 'check' someone's login credentials before they are actually logged on.

    In this script a regular expression is used to validate the username and password, supposedly to protect against SQL injection. Here is a snippet of that code:

    Regex rx = new Regex("^\\w+$");
    if(!rx.IsMatch(Request.QueryString["u"]) || !rx.IsMatch(Request.QueryString["p"]))

    If there is a match then the authentication check fails. At the moment the regular expression restricts user passwords to just letters and numbers which is very problematic as users including me have special characters in their passwords.

    Here is how the user is authenticated on the domain using the validated username & password:


    private bool Authenticate(string userName,string password, string domain)
    {
    bool authentic = false;
    try { DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain,userName, password); object nativeObject = entry.NativeObject; authentic = true; } catch (DirectoryServicesCOMException) { } return authentic; }
    My question is, do I need to use the regular expression to protect against SQL injection when authenticating using the above method?
    If I do could you point me in the direction of a regular expression which will allow special characters whilst also protecting from injection.

    Many thanks,

    Nick
    Wednesday, October 21, 2009 1:18 PM

Answers

  • If I were you, I would use the LogonUser Windows API function.

    http://msdn.microsoft.com/en-us/library/aa378184%28VS.85%29.aspx

    With this function, you will not have to worry about SQL injection.  But talking about that:  Why do you think there's a possiblity of SQL injection here?  Certainly you are not constructing a SQL query.  I would be interested in knowing the reasons behind your concern.
    MCP
    • Marked as answer by eryang Monday, October 26, 2009 6:47 AM
    Wednesday, October 21, 2009 11:27 PM
  • There is a database, yes, but it doesn't use SQL.  The authentication does not generate a query string of any kind to get a user authenticated.  No worries there.
    MCP
    • Marked as answer by nab89 Monday, October 26, 2009 4:09 PM
    Monday, October 26, 2009 2:14 PM

All replies

  • If I were you, I would use the LogonUser Windows API function.

    http://msdn.microsoft.com/en-us/library/aa378184%28VS.85%29.aspx

    With this function, you will not have to worry about SQL injection.  But talking about that:  Why do you think there's a possiblity of SQL injection here?  Certainly you are not constructing a SQL query.  I would be interested in knowing the reasons behind your concern.
    MCP
    • Marked as answer by eryang Monday, October 26, 2009 6:47 AM
    Wednesday, October 21, 2009 11:27 PM
  • Hi WebJose,

    Thanks for your reply, when I return to work I will try the LogonUser Windows API function as you suggested. I don't know how AD works but I assumed there must be a database behind it from where the username and password is retrieved when you try the login I was using. Am I incorrect in thinking this?

    Sorry for my late reply!

    Monday, October 26, 2009 10:08 AM
  • There is a database, yes, but it doesn't use SQL.  The authentication does not generate a query string of any kind to get a user authenticated.  No worries there.
    MCP
    • Marked as answer by nab89 Monday, October 26, 2009 4:09 PM
    Monday, October 26, 2009 2:14 PM
  • Thank you webJose that was the answer I was looking for. I'll remove the regular expression and save myself a lot of grief.
    Monday, October 26, 2009 4:14 PM