asp.net - Authentication Bypass Using SQL Injection appScan -
when making security scan error shown high :
remediation tasks: filter out hazardous characters user input ?
for parameter (parameter = txtpassword),(parameter = btnlogin) , (parameter = txtname) of them used in code here:
--------------- sqlcomm.parameters .addwithvalue("@username", dataencryption.dataencryption.encryptstring(lcase(txtname.text), "omss23re24&&userna(me")) .addwithvalue("@pass", dataencryption.dataencryption.encryptstring(txtpassword.text, "omsp12assw%%8or*d")) end if (session("admin") nothing) if txtname.text = txtpassword.text or forgotpasscls.getuserloginflag(session("custid").tostring()) if forcechange = "true" response.redirect("changepassword.aspx", true) else response.redirect(defaulturl, true) end if end if else '' if user admin if txtname.text = txtpassword.text or forgotpasscls.getuserloginflag(session("admin").tostring()) if forcechange = "true" response.redirect("changepassword.aspx", true) else response.redirect(defaulturl, true) end if end if end if what can please ?
Comments
Post a Comment