tags:

views:

40

answers:

3
+2  Q: 

Understanding CGI and SQL security from the ground up

This question is for learning purposes. Suppose I am writing a simple SQL admin console using CGI and Python. At http://something.com/admin, this admin console should allow me to modify a SQL database (i.e., create and modify tables, and create and modify records) using an ordinary form.

  1. In the least secure case, anybody can access http://something.com/admin and modify the database.
  2. You can password protect http://something.com/admin. But once you start using the admin console, information is still transmitted in plain text.
  3. So then you use HTTPS to secure the transmitted data.

Questions:

  1. To describe to a learner, how would you incrementally add security to the least secure environment in order to make it most secure? How would you modify/augment my three (possibly erroneous) steps above?
  2. What basic tools in Python make your steps possible?
  3. Optional: Now that I understand the process, how do sophisticated libraries and frameworks inherently achieve this level of security?
+2  A: 

Non-specific to Python, but any administrative features that offer that level of control over a system should be protected with both SSL and an Authentication and Authorization mechanism (login) at the very least.

Paperjam  2010-06-15 20:00:25
+3  A: 

Security is not a patch job, it's a holistic approach.

Incrementally adding security is not a good idea. You should integrate security in your application from the ground up.

The best advice I can give you is to try to think like an attacker. Think to yourself: "If I wanted to do something I'm not supposed to be able to do, how would I do it?"

If you're designing an application which uses a database, we careful not to allow SQL Injections. You should also be aware of some of the most popular web vulnerabilities if you're making a web app.

Ben S  2010-06-15 20:03:53
Thank you for the suggestion. That second link was really useful. Without much experience, it's hard for me to think like an attacker because I don't know my options, but that link make those options quite apparent.
Steve  2010-06-15 20:15:55
+2  A: 

The very first concern I have is protecting against CSRF vulnerabilities. Next i would be concerned with Broken Authentication and Session Management. Most importantly in order to maintain a secure session you must use https throughout the entire life of the session. If you where to spill a password or session id or even a sql query in plain text that would be a bad thing.

Rook  2010-06-15 20:31:26

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP