[fpc-pascal] fpweb and security

Lars noreply at z505.com
Tue Feb 28 04:53:08 CET 2012


michael.vancanneyt at wisa.be wrote:
>
>
> On Mon, 27 Feb 2012, ik wrote:
>
>> Hello,
>>
>> I'm thinking now to use fpweb for a web application I need to build,
>> but the application is going to be over the internet, and I'm
>> interesting in knowing about few security issues that are supported or
>> not.
>>
>> Does it have any CSRF protection ?
>> What other if any security tools does it have ?
>>
>
> None. It is a HTTP handling framework. Other than Basic Authentication on
> the web server level, HTTP does not offer security mechanisms, and
> therefor
> none are implemented in FPweb either.


HTTP doesn't really address security, but a web framework can provide some
security, such as SQL escaping to prevent sql injection, along with URL
escaping to prevent URL injection through url variables. Using SQL
prepared statements instead of regular sql queries should help, but I've
heard that even SQL prepared statements can be injected.

CSRF protection.. that's a good question.. this guy has an interesting
article and blog comments on it:
http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html





More information about the fpc-pascal mailing list