WebApp Sec mailing list archives
Re: tips to secure a web application
From: ".Saphyr" <saphyr () infomaniak ch>
Date: Sun, 22 Feb 2004 19:41:46 +0100
: Problems: : : 1. The application allows different browsers to call up same data record but : doesn't take care of the consequences. : :2. In workstation Y, although the save&close button was clicked but there :was no changes made, the program should not update the database. : :How should we fix these problems? And what are the best practices that the :developer should have? Actually this problem is adressed by transactions. If you never heard of it, you could begin some search on it, just to get the concepts involved. Conceptually, a transaction regroups all processes for modifying 'something' and guarantee that all modifications were done from beginning to end ("commit" process) , or cancelling a series of modifications to return some sort of data to its original state ("abort" process). Transactions model are for example the way which allows you to pay for services or goods on the web through your credit card. Such payements involve many authorities: card number validation, money withdrawall from your bank and account update, money payment on the seller's bank account, website products sellings database update, update of your profile on the website and so on. Using a transaction allows you to say : "You will COMMIT everything that I asked you to do and be sure it is correctly done or in case of any kind of error, ABORT all the actions and restore each involved systems to their ORIGINAL state." Of course, you might use different levels of transactionnal processing wether your needs or means. There's a lot to say here so.. it would be better to gt some reading on that subject. For your answer, a very basic way of satisfying that requirement is modyfing your SQL update statement to act in a 'pessimistic' behavior: ---basic sql update request--- UPDATE table SET colx = valx, coly = valy WHERE recordReference = recordReferenceVariable ---pessimistic sql update request--- UPDATE table SET colx = valx, coly = valy WHERE recordReference = recordReferenceVariable AND colx = oldcolxvalue AND coly = oldcolyvalue By using such technique, a user can only update fields which weren't changed since the last read access. As I said, get some reading, there are many different techniques you might use. .Antoine
Current thread:
- tips to secure a web application ermelir (Feb 18)
- <Possible follow-ups>
- RE: tips to secure a web application Leung, Annie LDB:EX (Feb 19)
- Re: tips to secure a web application ermelir (Feb 19)
- Re: tips to secure a web application .Saphyr (Feb 19)
- RE: tips to secure a web application Lars Troen (Feb 19)
- Re: tips to secure a web application Martin Tsachev (Feb 20)
- RE: tips to secure a web application Andy Gordon (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 22)