Jonathan Ng

• Home
• About

Standard Security Measures, Please

Posted by Jonathan Ng | Filed under Technical

I’m so pissed - a group of developers, paid to maintain an intranet/website, don’t even know how to implement the most basic of security/privacy measures.. and they call themselves “experts”.

Dear “experts”,

1) Beware of SQL Injection

SQL injections are one of the things most (decent) web programming books cover in their database access chapters. SQL injection hacks easy to detect and carry out. Fortunately, it is equally easy to prevent - in ASP.NET for example, the OleDbCommand has a parameters property. Always use Parameter.Add() to add in user supplied data to a SQL query.

2) Encrypt passwords!

Never, ever store passwords in plain sight in a database! Anyone who’s able to gain read access to the users table, may be able to execute other parts of your Website. In PHP for example, there’s a MD5() function that encrypts a given string using a one-way algorithm. When a user is registered, MD5() the password before storing it in the database. When the user next logins, simply MD5() the password again and check if it matches the one in database. If you want to provide a “Forgot Password” function, then you’ll need to look for a suitable 2-way encryption algorithm.

Of course, there a lots more security best practices, and I think these best practices should be covered in each and every IT course’ syllabus.

Permalink | January 10th, 2008

4 Responses to “Standard Security Measures, Please”

1. Regina Says:
   January 10th, 2008 at 5:35 pm

   Who are these developers? :p Luckily, Jeff and I practiced the above mentioned in our final year project.

2. Jeffrey04 Says:
   January 10th, 2008 at 7:09 pm

   MD5 is not an encrypting algorithm but is a hashing algorithm… besides that using MD5 alone is no longer secure
   http://www.codinghorror.com/blog/archives/000949.html

   one more area to worry about in web development world is XSS (cross site scripting). hopefully i will have the time to learn all about these things during the break after our final sem exam…

3. Jonathan Ng Says:
   January 10th, 2008 at 11:09 pm

   Thanks for the reminder Jeff.

   Well, at least MD5 hashing is better than nothing at all.

4. bckk Says:
   January 11th, 2008 at 10:39 am

   wonder who are those developers..when you mentioned the Intranet

Leave a Reply

Name (required) Mail (will not be published) (required) Website Comments

Categories

• Personal
• Photography
• Technical
• Uncategorized

Archives

• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005
• June 2005

Links

• Alvin Woon
• Danny Foo
• Eric
• Eu Hua
• Jeffrey
• Kean Keat
• Kok Chiann
• Teng Foung

Meta

• Log in
• Valid XHTML
• XFN
• WordPress

Search Box