logo       
<prev   next>

Re: tips to secure a web application: msg#00051

security.web-applications

Subject: Re: tips to secure a web application

: Problems:
:
: 1. The application allows different browsers to call up same data record but
: doesn't take care of the consequences.
:
:2. In workstation Y, although the save&close button was clicked but there
:was no changes made, the program should not update the database.
:
:How should we fix these problems? And what are the best practices that the
:developer should have?


Actually this problem is adressed by transactions. If you never heard of it,
you could begin some search on it, just to get the concepts involved.
Conceptually, a transaction regroups all processes for modifying 'something'
and guarantee that all modifications were done from beginning to end
("commit" process) , or cancelling a series of modifications to return some
sort of data to its original state ("abort" process).

Transactions model are for example the way which allows you to pay for
services or goods on the web through your credit card. Such payements
involve many authorities: card number validation, money withdrawall from
your bank and account update, money payment on the seller's bank
account, website products sellings database update, update of your profile
on the website and so on. Using a transaction allows you to say :

"You will COMMIT everything that I asked you to do and be sure it is
correctly done or in case of any kind of error, ABORT all the actions
and restore each involved systems to their ORIGINAL state."

Of course, you might use different levels of transactionnal processing
wether your needs or means.

There's a lot to say here so.. it would be better to gt some reading on that
subject.

For your answer, a very basic way of satisfying that requirement is modyfing
your SQL update statement to act in a 'pessimistic' behavior:

---basic sql update request---
UPDATE table
SET colx = valx, coly = valy
WHERE recordReference = recordReferenceVariable

---pessimistic sql update request---
UPDATE table
SET colx = valx, coly = valy
WHERE recordReference = recordReferenceVariable
AND colx = oldcolxvalue
AND coly = oldcolyvalue

By using such technique, a user can only update fields which weren't changed
since the last read access.

As I said, get some reading, there are many different techniques you might
use.


.Antoine
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fwd: Re: [SC-L] On "application security": 00051, Mark Curphey
Next by Date:  Security tool for monitoring HTTP headers?: 00051, patrick
Previous by Thread:  Re: tips to secure a web applicationi: 00051, .Saphyr
Next by Thread:  Removing Apache Banner on IBM Websphere HTTP Server (Apache) for Windows: 00051, Jason binger
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise