WebApp Sec mailing list archives
Re: tips to secure a web application
From: ".Saphyr" <saphyr () infomaniak ch>
Date: Fri, 20 Feb 2004 03:36:00 +0100
Hi Matthieu, I haven't looked at your tutorial yet but will do later. Do you have something for Java? We don't use SQL server, we use JDBC. Does it mean that we have fewer risks? Thanks, Annie
Hi there, You do not have fewer risks by using jdbc support for database communication. SQL injection flaws are related to an upper layer: the sql language, as jdbc only gives you a wrapper to access many database providers (sql 2000, oracle, odbc, ...). You can however mitigate a lot the sql/command injection flaws by using the prepared statements classes (precompiled sql requests on which only parameters are added at runtime) with jdbc. For more information , just google 'java prepared statements'. If you have questions related to secure java web development (methods and best practices), I'd be very interrested if you'd send them to me. I am currently writing a manual* adressing security issues in web oriented development, specificaly for developers. I wrote the most examples in php and asp but if there's a jsp demand, i'd add it... .antoine *: Web applications security: the developers handbook (should be released by end of march, freely)
Current thread:
- tips to secure a web application ermelir (Feb 18)
- <Possible follow-ups>
- RE: tips to secure a web application Leung, Annie LDB:EX (Feb 19)
- Re: tips to secure a web application ermelir (Feb 19)
- Re: tips to secure a web application .Saphyr (Feb 19)
- RE: tips to secure a web application Lars Troen (Feb 19)
- Re: tips to secure a web application Martin Tsachev (Feb 20)
- RE: tips to secure a web application Andy Gordon (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 22)