• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Coding secure applications.

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
ToddK
Just Arrived
Just Arrived


Joined: 29 Nov 2002
Posts: 0
Location: Ottawa, Canada

Offline

PostPosted: Fri Nov 29, 2002 3:33 pm    Post subject: Coding secure applications. Reply with quote

Okay, I'm a programmer who creates web applications. I'm looking for some info on how to make these apps secure. Any links or ideas?
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Nov 29, 2002 4:26 pm    Post subject: Reply with quote

http://www.security-forums.com/forum/viewtopic.php?t=602 is a great start, obviously it's aimed at ASP but it carries a lot of general rules for web development.

The biggest thing to watch out for is XSS, cross site scripting vunerabilities.

If you have any more technical questions feel free to ask, the majority of people here are more on the network side of security though.

There is an application for testing code security (buffer overflows etc) but it's name slips my mind, I think there is a post on here regarding it if you have a search Smile
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Nov 29, 2002 6:03 pm    Post subject: Reply with quote

Hello Toddk! Hello! Waving!

The most important stuff is input checking. never assume that providing a user with an input box with maxchars set at 20 will mean that more than 20 characters could not be entered.

Eg, a malicous user could construct their own form on a local machine, but submit it to your forms "action" field, with bad data.

When ever you are going to be displaying a users entry on other users screens, ie, a public comments area, make sure you turn the < and > into &lt; and &gt; respectivly.

Another example is drop down boxes. you provide a set of options, but do assume those options will be passed back to your script. CF users can do the following:

<cfif (form.example NEQ "option1") and (form.example NEQ "option2")>
error message
<cfelse>
do actions with data
</cfif>

sorry, i dont know php, but you should get the idea.

J


Last edited by Jason on Fri Nov 29, 2002 7:50 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
ToddK
Just Arrived
Just Arrived


Joined: 29 Nov 2002
Posts: 0
Location: Ottawa, Canada

Offline

PostPosted: Fri Nov 29, 2002 6:07 pm    Post subject: Reply with quote

Thanks Jason.

I use Stored Procedures for everything. I think that this will keep me safe from SQL Injector attacks. Does anyone know for sure?
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Nov 29, 2002 6:12 pm    Post subject: Reply with quote

I can't see how using a stored procedure over a view or anything else keeps you any safer?

It's generally just faster and more efficient, stored procedures don't intrinsically provide any protection against SQL injection.

Please correct me if I'm wrong, I'm no DBA Smile
Back to top
View user's profile Send private message Visit poster's website
ToddK
Just Arrived
Just Arrived


Joined: 29 Nov 2002
Posts: 0
Location: Ottawa, Canada

Offline

PostPosted: Sat Nov 30, 2002 2:21 am    Post subject: Reply with quote

Actually, when you call a stored procedure you have to use parameters instead of just straight text. Parameters will not allow Apostrophe's and hyphen's to cause the SQL Injector attacks.

At least that's what I've heard. I've never really tested it.
Back to top
View user's profile Send private message Visit poster's website
AverageJoeUser
Just Arrived
Just Arrived


Joined: 18 Dec 2002
Posts: 0
Location: US

Offline

PostPosted: Wed Dec 18, 2002 9:25 pm    Post subject: Reply with quote

Hmmm...I would say that regardless of stored procedure use or not, you should always screen for invalid meta-characters or use the ADODB.Command.Parameter.Append as best practice...in addition to securing your base DB build and limiting user privileges, of course.

-AJ
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter