WebApp Sec mailing list archives

Re: tips to secure a web application

From: ".Saphyr" <saphyr () infomaniak ch>
Date: Sun, 22 Feb 2004 19:41:46 +0100

: Problems:
: 
: 1. The application allows different browsers to call up same data record but
: doesn't take care of the consequences.
:
:2. In workstation Y, although the save&close button was clicked but there
:was no changes made, the program should not update the database. 
:
:How should we fix these problems? And what are the best practices that the
:developer should have?


Actually this problem is adressed by transactions. If you never heard of it, 
you could begin some search on it, just to get the concepts involved. 
Conceptually, a transaction regroups all processes for modifying 'something'
and guarantee that all modifications were done from beginning to end
("commit" process) , or cancelling a series of modifications to return some
sort of data to its original state ("abort" process). 

Transactions model are for example the way which allows you to pay for 
services or goods on the web through your credit card. Such payements 
involve many authorities: card number validation, money withdrawall from 
your bank and account update, money payment on the seller's bank 
account, website products sellings database update, update of your profile 
on the website  and so on. Using a transaction allows you to say : 

"You will COMMIT everything that I asked you to do and be sure it is 
correctly done or in case of any kind of error, ABORT all the actions
and restore each involved systems to their ORIGINAL state."

Of course, you might use different levels of transactionnal processing 
wether your needs or means. 

There's a lot to say here so.. it would be better to gt some reading on that
subject.

For your answer, a very basic way of satisfying that requirement is modyfing
your SQL update statement to act in a 'pessimistic' behavior: 

---basic sql update request---
UPDATE table
SET colx = valx, coly = valy 
WHERE recordReference = recordReferenceVariable

---pessimistic sql update request---
UPDATE table
SET colx = valx, coly = valy
WHERE recordReference = recordReferenceVariable
     AND colx = oldcolxvalue
     AND coly = oldcolyvalue

By using such technique, a user can only update fields which weren't changed
since the last read access. 

As I said, get some reading, there are many different techniques you might
use.


.Antoine

Current thread:

tips to secure a web application ermelir (Feb 18)
- <Possible follow-ups>
- RE: tips to secure a web application Leung, Annie LDB:EX (Feb 19)
  - Re: tips to secure a web application ermelir (Feb 19)
  - Re: tips to secure a web application .Saphyr (Feb 19)
- RE: tips to secure a web application Lars Troen (Feb 19)
  - Re: tips to secure a web application Martin Tsachev (Feb 20)
- RE: tips to secure a web application Andy Gordon (Feb 20)
  - Re: tips to secure a web application .Saphyr (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 22)