[thelist] Securing a Web Application

David J. Hamilton david.hamilton at bricsnet.com
Thu Oct 20 12:47:30 CDT 2005


here's an interesting paper discussing SQL injection (they use user
logon as an example)
.  It's not academic quality, but still worth a read.

In a nutshell, one thing you need to avoid is constructing sql like this
String sql = "select * from users where username = '" + user + "'",
which is a common security hole that allows SQL injection, and is easily
defeated by escaping single quotes in the user request parameter.


Dena Marchant wrote:
> I will check out the resources mentioned.
> To be a bit more specific, while I want to develop better knowledge of 
> overall
> security issues and best practices in this area, I also need to know how to 
> correctly
> handle user login.
> Is it enough to check username and password against:
> 1.  values in a database and using a stored procedure
> 2. values in a file
> Is there a better way?  On a scale of 1 to 5, level of  security needed 
> would be 3 or 4.
> Thanks again for your help.
> ----- Original Message ----- 
> From: "Ken Moore" <psm2713 at hotmail.com>
> To: <thelist at lists.evolt.org>
> Sent: Tuesday, October 18, 2005 7:58 PM
> Subject: RE: [thelist] Securing a Web Application
>>Hi all,
>>Dena Marchant asked:
>>> where I can go and get up to speed on the issues of securing a web
>>>application on an apache platform.
>>The answers have been hit and miss at best. My answer would be this. If no 
>>real harm can be done, go ahead and learn the best you can. If yours or a 
>>clients' data/info is involved, get someone who knows how to set up 
>>security and learn from them.
>>Don't just search. Find. Check out the new MSN Search! 
>>* * Please support the community that supports you.  * *
>>For unsubscribe and other options, including the Tip Harvester and 
>>archives of thelist go to: http://lists.evolt.org Workers of the Web, 
>>evolt ! 


David J. Hamilton
Sr. Software Engineer
Greater Control for Better Decisions
david.hamilton at bricsnet.com

Quid quid latine dictum sit,
altum videtur.

More information about the thelist mailing list