[thelist] Securing a Web Application
David J. Hamilton
david.hamilton at bricsnet.com
Thu Oct 20 12:47:30 CDT 2005
Dena,
here's an interesting paper discussing SQL injection (they use user
logon as an example)
http://www.google.com/url?sa=U&start=1&q=http://www.nextgenss.com/papers/advanced_sql_injection.pdf&e=10384
. It's not academic quality, but still worth a read.
In a nutshell, one thing you need to avoid is constructing sql like this
String sql = "select * from users where username = '" + user + "'",
which is a common security hole that allows SQL injection, and is easily
defeated by escaping single quotes in the user request parameter.
-DJH
Dena Marchant wrote:
> I will check out the resources mentioned.
>
> To be a bit more specific, while I want to develop better knowledge of
> overall
> security issues and best practices in this area, I also need to know how to
> correctly
> handle user login.
>
> Is it enough to check username and password against:
> 1. values in a database and using a stored procedure
> 2. values in a file
>
> Is there a better way? On a scale of 1 to 5, level of security needed
> would be 3 or 4.
>
> Thanks again for your help.
>
> ----- Original Message -----
> From: "Ken Moore" <psm2713 at hotmail.com>
> To: <thelist at lists.evolt.org>
> Sent: Tuesday, October 18, 2005 7:58 PM
> Subject: RE: [thelist] Securing a Web Application
>
>
>
>>Hi all,
>>
>>Dena Marchant asked:
>>
>>> where I can go and get up to speed on the issues of securing a web
>>>application on an apache platform.
>>
>>The answers have been hit and miss at best. My answer would be this. If no
>>real harm can be done, go ahead and learn the best you can. If yours or a
>>clients' data/info is involved, get someone who knows how to set up
>>security and learn from them.
>>
>>Ken
>>
>>_________________________________________________________________
>>Don't just search. Find. Check out the new MSN Search!
>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>
>>--
>>
>>* * Please support the community that supports you. * *
>>http://evolt.org/help_support_evolt/
>>
>>For unsubscribe and other options, including the Tip Harvester and
>>archives of thelist go to: http://lists.evolt.org Workers of the Web,
>>evolt !
>
>
--
David J. Hamilton
Sr. Software Engineer
Bricsnet
Greater Control for Better Decisions
david.hamilton at bricsnet.com
415.475.4084
http://www.bricsnet.com
Quid quid latine dictum sit,
altum videtur.
More information about the thelist
mailing list