Re: tips to secure a web application

[".Saphyr" <saphyr () infomaniak ch>]

> Hi Matthieu,
> I haven't looked at your tutorial yet but will do later. Do you have
> something for Java? We don't use SQL server, we use JDBC. Does it mean that
> we have fewer risks?
> Thanks,
> Annie


Hi there, 

You do not have fewer risks by using jdbc support for database 
communication. SQL injection flaws are related to an upper layer: 
the sql language, as jdbc only gives you a wrapper to access
many database providers (sql 2000, oracle, odbc, ...). 

You can however mitigate a lot the sql/command injection flaws
by using the prepared statements classes (precompiled sql requests
on which only parameters are added at runtime) with jdbc. 

For more information , just google 'java prepared statements'. 

If you have questions related to secure java web development (methods
and best practices), I'd be very interrested if you'd send them to me. 

I am currently writing a manual* adressing security issues in web oriented
development, specificaly for developers. I wrote the most examples in 
php and asp but if there's a jsp demand, i'd add it...


.antoine

*: Web applications security: the developers handbook 
(should be released by end of march, freely)