hibernate can use parameterised statements out of the box and handles the encoding of values to stop sql injection. you can use names like :orgId in an sql statement and set either the value with a set statement or by setting an object containing a getOrgId method and hibernate will call it for you.
---------------------------------------- > From: [email protected] > Date: Mon, 22 Mar 2010 15:59:37 -0600 > Subject: Re: About bank application using Struts 2 > To: [email protected] > > Thanks for the tips Wes, unfortunately we can't use Spring because the time, > but i going to read about ssl in struts and the security in server > (Glassfish in my case). > > For Martin, Hibernate doesn´t handle by default parametizered statements? > > 2010/3/22 Martin Gainty > >> >> implementing parameterised dynamic statements are of particular interest to >> me.. >> >> does anyone know how i can achieve paramterised dynamic statements with >> hibernate?? >> >> >> Many Thanks to Wes for the advice on hardening Tomcat >> Martin Gainty >> ______________________________________________ >> Please do not modify or disrupt this transmission. Thank You >> >> >> >> >> >> >>> Date: Mon, 22 Mar 2010 17:01:22 -0400 >>> Subject: Re: About bank application using Struts 2 >>> From: [email protected] >>> To: [email protected] >>> >>> There are quite a few good books about general security practices for >>> software development... >>> >>> There used to be a library that you can use to help secure your web-app >>> >>> ...looking... >>> >>> http://www.hdiv.org/ >>> >>> They used to support an s2 plugin, but I'm not sure which version it >>> works with. >>> >>> In general, you want to treat security as something you approach in >>> layers. Obviously, you want to encrypt communications that might >>> expose sensitive information (apply ssl), and you want to utilize an >>> authentication and authorization mechanism (spring-security). After >>> that, you want to treat all user input as unsafe/tainted (escape >>> before displaying to other users, use parameterized sql statements >>> rather than constructing strings of sql) and make sure that you pay >>> close attention that you try not to put sensitive data on the URL >>> string (using form method="GET" for form-based authentication). >>> >>> In addition, it may not hurt and would probably be worth the money to >>> involve a security professional to perform audits or to participate in >>> code reviews. There are new attack mechanisms that crop up all the >>> time and a lot of times security pros can point out things that you >>> didn't know where potential problems. >>> >>> Lastly, make sure you secure your application server... There is a >>> guide to hardening Tomcat here - >>> >>> >> http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache >>> >>> If you are not using tomcat, make sure you know enough about your >>> application server that you don't open up attack vectors at the >>> server. >>> >>> -Wes >>> >>> On Mon, Mar 22, 2010 at 4:28 PM, Oscar wrote: >>>> Hi to all, right now i'm going to develop something like bank >> application to >>>> enable users to manage their accounts, transfer money, pay services and >> so >>>> on, and really i have no experience developing applications like that >> (where >>>> security is reeeeeally important) so i don't know if exists some book >> about >>>> critical applications development with struts 2 or you can give me some >> tips >>>> to develop a secure application, also tips about struts and ssl, or if >> you >>>> know internet resources that talk about that. >>>> >>>> Thanks in advance. >>>> >>>> -- >>>> Oscar >>>> >>> >>> >>> >>> -- >>> Wes Wannemacher >>> >>> Head Engineer, WanTii, Inc. >>> Need Training? Struts, Spring, Maven, Tomcat... >>> Ask me for a quote! >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> _________________________________________________________________ >> The New Busy is not the old busy. Search, chat and e-mail from your inbox. >> >> http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3 > > > > > -- > Oscar _________________________________________________________________ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
