View previous topic :: View next topic |
Author |
Message |
ToddK Just Arrived
Joined: 29 Nov 2002 Posts: 0 Location: Ottawa, Canada
|
Posted: Fri Nov 29, 2002 3:33 pm Post subject: Coding secure applications. |
|
|
Okay, I'm a programmer who creates web applications. I'm looking for some info on how to make these apps secure. Any links or ideas?
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Fri Nov 29, 2002 4:26 pm Post subject: |
|
|
http://www.security-forums.com/forum/viewtopic.php?t=602 is a great start, obviously it's aimed at ASP but it carries a lot of general rules for web development.
The biggest thing to watch out for is XSS, cross site scripting vunerabilities.
If you have any more technical questions feel free to ask, the majority of people here are more on the network side of security though.
There is an application for testing code security (buffer overflows etc) but it's name slips my mind, I think there is a post on here regarding it if you have a search
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Fri Nov 29, 2002 6:03 pm Post subject: |
|
|
Hello Toddk!
The most important stuff is input checking. never assume that providing a user with an input box with maxchars set at 20 will mean that more than 20 characters could not be entered.
Eg, a malicous user could construct their own form on a local machine, but submit it to your forms "action" field, with bad data.
When ever you are going to be displaying a users entry on other users screens, ie, a public comments area, make sure you turn the < and > into < and > respectivly.
Another example is drop down boxes. you provide a set of options, but do assume those options will be passed back to your script. CF users can do the following:
<cfif (form.example NEQ "option1") and (form.example NEQ "option2")>
error message
<cfelse>
do actions with data
</cfif>
sorry, i dont know php, but you should get the idea.
J
Last edited by Jason on Fri Nov 29, 2002 7:50 pm; edited 1 time in total |
|
Back to top |
|
|
ToddK Just Arrived
Joined: 29 Nov 2002 Posts: 0 Location: Ottawa, Canada
|
Posted: Fri Nov 29, 2002 6:07 pm Post subject: |
|
|
Thanks Jason.
I use Stored Procedures for everything. I think that this will keep me safe from SQL Injector attacks. Does anyone know for sure?
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Fri Nov 29, 2002 6:12 pm Post subject: |
|
|
I can't see how using a stored procedure over a view or anything else keeps you any safer?
It's generally just faster and more efficient, stored procedures don't intrinsically provide any protection against SQL injection.
Please correct me if I'm wrong, I'm no DBA
|
|
Back to top |
|
|
ToddK Just Arrived
Joined: 29 Nov 2002 Posts: 0 Location: Ottawa, Canada
|
Posted: Sat Nov 30, 2002 2:21 am Post subject: |
|
|
Actually, when you call a stored procedure you have to use parameters instead of just straight text. Parameters will not allow Apostrophe's and hyphen's to cause the SQL Injector attacks.
At least that's what I've heard. I've never really tested it.
|
|
Back to top |
|
|
AverageJoeUser Just Arrived
Joined: 18 Dec 2002 Posts: 0 Location: US
|
Posted: Wed Dec 18, 2002 9:25 pm Post subject: |
|
|
Hmmm...I would say that regardless of stored procedure use or not, you should always screen for invalid meta-characters or use the ADODB.Command.Parameter.Append as best practice...in addition to securing your base DB build and limiting user privileges, of course.
-AJ
|
|
Back to top |
|
|
|