[thelist] Securing a Web Application

David J. Hamilton david.hamilton at bricsnet.com
Thu Oct 20 12:47:30 CDT 2005


Dena,

here's an interesting paper discussing SQL injection (they use user
logon as an example)
http://www.google.com/url?sa=U&start=1&q=http://www.nextgenss.com/papers/advanced_sql_injection.pdf&e=10384
.  It's not academic quality, but still worth a read.

In a nutshell, one thing you need to avoid is constructing sql like this
String sql = "select * from users where username = '" + user + "'",
which is a common security hole that allows SQL injection, and is easily
defeated by escaping single quotes in the user request parameter.

-DJH


Dena Marchant wrote:
> I will check out the resources mentioned.
> 
> To be a bit more specific, while I want to develop better knowledge of 
> overall
> security issues and best practices in this area, I also need to know how to 
> correctly
> handle user login.
> 
> Is it enough to check username and password against:
> 1.  values in a database and using a stored procedure
> 2. values in a file
> 
> Is there a better way?  On a scale of 1 to 5, level of  security needed 
> would be 3 or 4.
> 
> Thanks again for your help.
> 
> ----- Original Message ----- 
> From: "Ken Moore" <psm2713 at hotmail.com>
> To: <thelist at lists.evolt.org>
> Sent: Tuesday, October 18, 2005 7:58 PM
> Subject: RE: [thelist] Securing a Web Application
> 
> 
> 
>>Hi all,
>>
>>Dena Marchant asked:
>>
>>> where I can go and get up to speed on the issues of securing a web
>>>application on an apache platform.
>>
>>The answers have been hit and miss at best. My answer would be this. If no 
>>real harm can be done, go ahead and learn the best you can. If yours or a 
>>clients' data/info is involved, get someone who knows how to set up 
>>security and learn from them.
>>
>>Ken
>>
>>_________________________________________________________________
>>Don't just search. Find. Check out the new MSN Search! 
>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>
>>-- 
>>
>>* * Please support the community that supports you.  * *
>>http://evolt.org/help_support_evolt/
>>
>>For unsubscribe and other options, including the Tip Harvester and 
>>archives of thelist go to: http://lists.evolt.org Workers of the Web, 
>>evolt ! 
> 
> 

-- 

David J. Hamilton
Sr. Software Engineer
Bricsnet
Greater Control for Better Decisions
david.hamilton at bricsnet.com
415.475.4084
http://www.bricsnet.com

Quid quid latine dictum sit,
altum videtur.



More information about the thelist mailing list