Re: User permissions

On Thu, 2002-03-14 at 14:35, Lars Preben S. Arnesen wrote:

> But what if your JSP-script lets an evil user insert sql statements
> via a form in your web application. Then the approved application on
> your own server, with the right username/password send possible nasty
> SQL to the database. Of course this requires security holes in the web
> application layer, but hey: it is holes like that in at least half of
> every dynamic web site out there. I don't think I'm any better so I
> want to use security at _all_ levels, including the database.

You have got me worried. How is "select * from password" submited to a
database table going to execute?

I mean in my applications I can submit datatypes to rows in a table. How
do I submit sql or java code that will execute?

I know I can try to submit code via the URL but I was under the
impression that the java security folk had cleaned that one up? As for
sql code that will ececute it is beyond me.

Please send me a working example offlist so that I can try it on my
current project.

Cheers

Tony

--
RedHat Linux on Sony Vaio C1XD/S
http://www.animaproductions.com/linux2.html
Macromedia UltraDev with PostgreSQL
http://www.animaproductions.com/ultra.html