Section 22.3. Avoiding Common Security Pitfalls

Previous page
Table of content
Next page

22.3. Avoiding Common Security Pitfalls

There are three common security problems in web applications: buffer overruns, Cross-Site Scripting (XSS) attacks, and SQL injection attacks. Because TurboGears applications are written in Python, your potential exposure to buffer overuns is minimal.

That leaves XSS and SQL injection attacks. XSS is made possible when user input is rendered to HTML without being escaped. Fortunately Kid escapes everything you insert into your template for you automatically. As a result, the only time you need to think about XSS attacks is when you are using Kid's XML function to bypass escaping.

In addition, SQLObject automatically escapes any strings you pass into it; so, unless you are constructing SQL by hand, you don't have to worry about SQL injection attacks.

Both SQL injection attacks and XSS attacks are subclasses of the same problem. User data is executed rather than processed as data. It's possible to do this in Python too; you want to be very careful when using the exec statement anywhere even remotely near user-entered data.



Previous page
Table of content
Next page
Rapid Web Applications with TurboGears(c) Using Python to Create Ajax-Powered Sites
Rapid Web Applications with TurboGears: Using Python to Create Ajax-Powered Sites
ISBN: 0132433885
EAN: 2147483647
Year: 2006
Pages: 202
Authors: Mark Ramm, Kevin Dangoor, Gigi Sayfan
BUY ON AMAZON
Lotus Notes and Domino 6 Development (2nd Edition)
VBScript Programmers Reference
WebLogic: The Definitive Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy