asp db security / anti-hack

Results 1 to 2 of 2

Thread: asp db security / anti-hack

  1. #1
    Join Date
    Dec 1969

    Default asp db security / anti-hack

    Hi,<BR>Could anyone possibly advise me or give me some pointers as to what i should be doing/considering to keep a website hack-proof and secure.<BR><BR>I have built a site using ASP/VBScript ans MS SQL 2000 that basically allows users to insert records into the database which can then viewed by other users in a master detail page. I created a new database in MS SQL 2000 and all records are added to one table using simple insert stored procedures. Users fill out a form which is submitted to a page which uses a command to activate the stored procedure. Users can also update and delete their records using stored procedures.<BR><BR>What are the main things you should do to keep the new database and table secure?<BR>I have used Replace([variable], "&#039;", "&#039;&#039;") to replace single quotes from any record being inserted into the table. Is there anything else similar or not i should be doing.<BR><BR>What about the default stored procedures that are already in the database when you create it? Do i have to delete any or change the permissions of any from the default settings.<BR><BR>I will be using a managed server from a hosting company, should they take care of the security of the stored procedures etc when i sign up?<BR><BR>This is a quite a vague question i know. I dont really know how to be more specific. I&#039;m just asking for some pointers to send me in the right direction!<BR><BR>Thanks<BR>Craig

  2. #2
    Join Date
    Dec 1969

    Default Nothing is hack-proof.

    Well, the only thing that is is a computer that&#039;s sealed in a vault (w/ no power to it).<BR><BR>And, even that can be found and turned on.<BR><BR>As for what you should be doing - you should validate that anything entered by the user is proper. Yes, you should be replacing single quotes with double quotes. But, you should also verify that dates really are dates and that numbers are numbers. If you expect your data to be a maximum of X characters, check it&#039;s length.<BR><BR>As for the managed server - what do you mean by that? If they&#039;ve agreed to secure the database, you&#039;ll need to tell them how you plan on using it. If you&#039;ve created the database, then I wouldn&#039;t expect them to do it. If you don&#039;t have experience in securing a database, it&#039;s time you hire someone to do it for you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts