Dena, here's an interesting paper discussing SQL injection (they use user logon as an example) http://www.google.com/url?sa=U&start=1&q=http://www.nextgenss.com/papers/advanced_sql_injection.pdf&e=10384 . It's not academic quality, but still worth a read. In a nutshell, one thing you need to avoid is constructing sql like this String sql = "select * from users where username = '" + user + "'", which is a common security hole that allows SQL injection, and is easily defeated by escaping single quotes in the user request parameter. -DJH Dena Marchant wrote: > I will check out the resources mentioned. > > To be a bit more specific, while I want to develop better knowledge of > overall > security issues and best practices in this area, I also need to know how to > correctly > handle user login. > > Is it enough to check username and password against: > 1. values in a database and using a stored procedure > 2. values in a file > > Is there a better way? On a scale of 1 to 5, level of security needed > would be 3 or 4. > > Thanks again for your help. > > ----- Original Message ----- > From: "Ken Moore" <psm2713 at hotmail.com> > To: <thelist at lists.evolt.org> > Sent: Tuesday, October 18, 2005 7:58 PM > Subject: RE: [thelist] Securing a Web Application > > > >>Hi all, >> >>Dena Marchant asked: >> >>> where I can go and get up to speed on the issues of securing a web >>>application on an apache platform. >> >>The answers have been hit and miss at best. My answer would be this. If no >>real harm can be done, go ahead and learn the best you can. If yours or a >>clients' data/info is involved, get someone who knows how to set up >>security and learn from them. >> >>Ken >> >>_________________________________________________________________ >>Don't just search. Find. Check out the new MSN Search! >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/ >> >>-- >> >>* * Please support the community that supports you. * * >>http://evolt.org/help_support_evolt/ >> >>For unsubscribe and other options, including the Tip Harvester and >>archives of thelist go to: http://lists.evolt.org Workers of the Web, >>evolt ! > > -- David J. Hamilton Sr. Software Engineer Bricsnet Greater Control for Better Decisions david.hamilton at bricsnet.com 415.475.4084 http://www.bricsnet.com Quid quid latine dictum sit, altum videtur.