Application Security

Most security holes are caused by poor applications. There are a number of common pitfalls to avoid:

  • Never trust user data. Always verify any data entered by a user.

  • Inserting quotations in a website form is a common cause of breakages. For example, an application takes a username and password and runs a query such as SELECT * FROM passwords WHERE username='$username' AND password='$password'. Poorly designed applications will allow $password to contain something like aaa';DELETE FROM passwords;. MySQL parsing the query thinks the single quote after the three a's is the end of the query and then happily performs the next query. Most languages have simple functions to avoid this, escaping any quotations in the string, such as mysql_real_escape_ string() in C or addslashes() in PHP.

  • Check the size of the data. A complex calculation may work well with a single digit number, but a 250-digit number passed by a user may cause the application to crash.

  • Remove any special characters from strings passed to MySQL.

  • Use quotes around numbers as well as strings.



Mastering MySQL 4
Mastering MySQL 4
ISBN: 0782141625
EAN: 2147483647
Year: 2003
Pages: 230
Authors: Ian Gilfillan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net