Section 22.3. Avoiding Common Security Pitfalls


22.3. Avoiding Common Security Pitfalls

There are three common security problems in web applications: buffer overruns, Cross-Site Scripting (XSS) attacks, and SQL injection attacks. Because TurboGears applications are written in Python, your potential exposure to buffer overuns is minimal.

That leaves XSS and SQL injection attacks. XSS is made possible when user input is rendered to HTML without being escaped. Fortunately Kid escapes everything you insert into your template for you automatically. As a result, the only time you need to think about XSS attacks is when you are using Kid's XML function to bypass escaping.

In addition, SQLObject automatically escapes any strings you pass into it; so, unless you are constructing SQL by hand, you don't have to worry about SQL injection attacks.

Both SQL injection attacks and XSS attacks are subclasses of the same problem. User data is executed rather than processed as data. It's possible to do this in Python too; you want to be very careful when using the exec statement anywhere even remotely near user-entered data.




Rapid Web Applications with TurboGears(c) Using Python to Create Ajax-Powered Sites
Rapid Web Applications with TurboGears: Using Python to Create Ajax-Powered Sites
ISBN: 0132433885
EAN: 2147483647
Year: 2006
Pages: 202

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net