Security Do's and Don'ts...

[cusimar9]

I was a little concerned the other day because I read a little something about SQL Injection attacks, quickly tried it on one of my sites and managed to 'hack' into my account I quickly fixed it, but its left me wondering how many other things I've left unsecured.

I do use MS Access databases a lot for smaller websites, but they're not stored in the www directory, but in a database directory elsewhere on the server.

I use Session and Application variables a lot, is there any way the user can view/set session variables themselves?

I'm obviously sensible enough not to store passwords anywhere, and not to pass data on the query string unless heavily encrypted...

Anyone have any advice?

[lmf232s]

Read the post made by russel.
It goes over the sql injunction and he has some other links to other stuff.

http://www.webdeveloper.com/forum/sh...ad.php?t=56764

[cusimar9]

Thanks for the link, I've read over that and I definitely validate all input now

Is there a way someone can see what session variables they have set? I presume there must be, perhaps some sort of debugging tool.

I ask because if one does exist you could definitely do some naughty things on at least one of my websites.

[lmf232s]

no one can see the session variables, unless im missing something. Those should be secure on the server per that session that they were created with.

[buntine]

You could take a look at, and somehow decrypt your local cookies, which are created when a Session is instantiated. Sessions are not perfect, but that is what we've got.

Your site will always be hackable. So will mine.

As long as you cover for the basic security holes, you should be fine. If your dealing with sensitive data, you could look into an SSL certificate.

ASP security is well documented. Google it.

Regards.

[cusimar9]

OK, thanks