Hey all,
How are you all dealing with web security? Preventing SQL injection attacks and cross site scripting attacks...
I haven't done much for XSS attacks, though I'm sure there's generic Python libraries out there to clean up HTML.
For SQL injection, you'll be pretty safe if you use an ORM like SQLObject or MiddleKit. And even if you use the straight DB API you'll be fine as long as you don't do your own string substitution. I.e. don't do this:
cursor.execute("UPDATE article SET content = '%s'" % content)Instead do:
cursor.execute("UPDATE article SET content = %s", [content])For logins I just store the username in the session, which I consider safe enough; if there's any real issue, I put the whole thing behind SSL. I also put all the security stuff into SitePage, so that it's always easy to check permissions, even if in theory the user couldn't have gotten to a form unless they were permitted. You could probably use sessions in that case as well. Often I do the permission check in awake(), and use class attributes to define the allowed roles.
-- Ian Bicking / [EMAIL PROTECTED] / http://blog.ianbicking.org
------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
