|
Posted by "bruce" on 09/21/05 17:06
hi..
i've been searching/researching the areas of security regarding url input,
form input, as well as database input (mysql). while there are plenty of
articles that touch on the topic, i'm looking for a given site/package/lib
(open source) that is pretty much the standard that i could use for my
website/app...
basically, i don't want to recreate the wheel, if there is already a
serious/good solution to this area. given the importance of this area, i'm
assuming that there is a lib/package that already exists to handle these
issues.
i've looked through google, as well as various open source web apps to see
how some of this is handled, and it appears the level of sophistication for
handling this is all over the place!!
i want to stress, i'm looking for the package/lib that's strong enough/valid
enough to be used in a serious commercial app.. a lot of what i've
seen/suggestions on various sites arent' complete/strong..
(this stuff has got to be around/available, i mean google/ebay/1000's of
sites are up/running without having issues!!!)
URL Issues/Thoughts...
-Should Handle basic regex filtering of POST/GET/REQUEST Querystring data
-Filtering of basic mysql commands/functions/characters
(Insert/Drop/etc...)
Query Array Thoughts/Issues
-Should filter the arrays (GET/POST/REQUEST)
-Filtering of basic mysql commands/functions/characters
(Insert/Drop/etc...)
-Check for datatype
-Set Datatype
-Log all errors/issues
Mysql DB Issues
-Parsing/inspection of all data prior to insertion in sql_query_string
-Use of 'datatype' arg in the query to insure that the correct datatype val
is used in the sql_string
-Regex comparison of the vals prior to use in the sql_string
-Proper usage of slashes/quotations around variables/sql_strings
-Logging of all db interactions
any other things that should be handled
(yeah.. i know, i haven't even gotten into the issue of having separate
db/app servers, and security of the overall hardware/app environment...)
-thanks
-bruce
bedouglas@earthlink.net
Navigation:
[Reply to this message]
|