You can build a secure program in any language. (and you can build complete crap in any language, too.) Some languages are just easier than others, if they make assumptions about how things are done, and that's how you're trying to do it. (now, when you try to override those assumptions, somes it's just easier to use a different language).

I wouldn't recommend learning a whole new language, if that means you're going to need to learn a whole new set of security considerations.

mySQL is very powerful, and with InnoDB, can support transactions, which may be necessary depending on what you're trying to do. Yes, there is lots of things that you can do in Oracle (triggers to do referential integrity checks, etc.), but those are quickly being added to mySQL. Look at what features you need for your design, and see if the database can support it -- Oracle specifically makes money by their 'we do everything' so that managers will fear that they might be missing out on something, and buy the absolute biggest, most expensive thing they can. Besides, if you're going to pay for Oracle, you'd be bottlenecked by Windows, so you might as well go with MS-SQL or something else cheaper.

I would suggest putting as many of the constraints as you can within the database, rather than just in the CGI script. (I would actually put them in both places, unless it would adversely affect your execution time, because it's easier to give good messages back to the user).

But of course, most important is what Joost already said -- use HTTPS. Depending on the host, you might have to buy an SSL cert, but it's worth it, just in keeping from taking phone calls about why someone would have to accept your self-signed cert. (a larger webhost might have a wildcard cert, so you won't need to buy one yourself, but you'd have to use their domain name). And use bind variables. And don't trust any of the input to be clean.

As for books -- I haven't found any that I particularly cared for. Too many of them seem to be vanity press... That's not to say they're not out there, but I've given up reading them.

In reply to Re: Security for an Web based applicatoin by jhourcle
in thread Security for an Web based applicatoin by perleager

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.