• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

possible security issues with servlets connecting to a DB

 
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

I need an opinion on the below approach in my application.

I have app using a controller, and within the app a form that points direcly to a servlet that makes a database connection, uses a prepared statement and inserts data.

What possible security issues are there in this approach, is ther a better way and more secure way to update and insert into my database?

If someone could give me some advice would be great.

Reg

[ January 31, 2005: Message edited by: Reggie McDougal ]
[ January 31, 2005: Message edited by: Reggie McDougal ]
 
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What's your fear?
If you control access to the servlet to the same degree you'd control access to the database noone can access the database.
In fact, you can control things far more finegrained than would be possible (at least easily) by giving people usernames and passwords to the database directly.

You can quite easily create a system of logins in which people have read-only access to only some parts of the application for example.
Try to handle that inside the database and you're looking at setting permissions on a per user basis on each table.

Of course if your servlet has no access control whatsoever everyone can access it and in theory cause a write to the database.
But even then (unless you're extremely careless) they can only use the exact SQL you yourself defined, and not just do whatever they want.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic