× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. February 2015

Re: Security for web site accessing i via IWS

The amount of work will depend upon how many inputs and outputs you have. SQL injection is best mitigated by using parameterized queries. But static SQL can be made safer using length checking, character white/black lists, proper data typing, using host variables and also a jaundiced eye when it comes to looking at a statement and seeing how variables passed to it could be manipulated for nefarious purposes. Tough to do when you are a solo act and can't have someone take a look and figure out a way to exploit it.

The same applies to XSS and CRSF. Check the inputs and outputs for invalid characters, make sure you have sane length checking and data typing. The web app may have static dropdown lists for selecting values but that wouldn't prevent someone from changing those values by manipulating the JavaScript so if there is a range of static values that are coming from a dropdown list (for example) , whitelist and check for those values at your end as well.

Late response (started before lunch). Good responses prior to this.....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java

On 2/3/2015 10:23 AM, Koester, Michael wrote:
Thanks Pete.
Do you know of any RPG/SQL tricks to trap SQL injection? My embedded SQL uses static SQL statements only (currently), and I'm validating the inputs by testing fields that should be numeric for numerals only, email addresses for permitted characters only (no blanks or back-slashes, etc.) and proper acct@domain structures...
But I do not know anything about CSRF and XSS.
Not being Java/PHP-proficient, I humbly admit to limitations.
Any suggestions would be greatly appreciated.
-- Michael


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.