|
|
Rank: Newbie
Joined: 1/24/2008
Posts: 20
|
My client (Fortune 500 company) is asking me about SQL injection and Umbraco. What type of protection is used to protect against SQL injection attempts?
Also, my client would like to know if Umbraco can "use a different account to read the site vs edit". Does anyone have answers to these questions?
Thanks in advance!
-Carter
|
|
Rank: Newbie
Joined: 3/19/2008
Posts: 8
Location: Stockholm
|
As far as I know, SQL-injections is a scenario where a user inputs something to interrupt an SQL query and make it do something else, and the only interface for that kind of stuff you as the developer create yourself, so as long as you take care of your code, Umbraco will be safe. I read "different account" as "not an anonymous iis user", and I'm not sure if that would work, but I'm pretty sure there are inovative people in the community that could help you out to either find a solution or an acceptable work-around. //S
http://www.b-line.se/ - You one-stop-shop for great Hip-Hop Music.
|
|
Rank: Fanatic
Joined: 10/9/2006
Posts: 334
|
rember also, that the front end of the site [public facing] uses an xml file to for data retrieval and display... no sql calls on the front, so no sql to inject into forms, etc. the backend hits the database, so if the admin panel get's broken into - meaning they know your user/pass combo... no need to inject sql, they can just delete and deface nodes that way.
bootnumlock - aka bob baty-barr [ http://www.baty-barr.com] Level 1 Certified!
|
|
Rank: Addict
Joined: 3/17/2008
Posts: 787
Location: Nyborg, Denmark
|
umbraco follows Microsoft best practices and uses .NET parameters in queries, which means that the .NET framework will take care of handling SQL Injection rules. As such, umbraco ishouldn't be subject to SQL injection queries.
It's a good idea to have the potential of having another account to read from the db in the runtime engine, which even though it doesn't query the db when rendering pages, it does read template, etc. metadata when the whole application starts. I'll see if this could make it into 3.1. You're welcome to contact me if you want to discuss this (nh At umbraco "." dk).
Cheers,
Niels / umbraco
Jeeeez, did I really start this :-)
|
|
Rank: Newbie
Joined: 1/24/2008
Posts: 20
|
bootnumlock wrote:rember also, that the front end of the site [public facing] uses an xml file to for data retrieval and display... no sql calls on the front, so no sql to inject into forms, etc. the backend hits the database, so if the admin panel get's broken into - meaning they know your user/pass combo... no need to inject sql, they can just delete and deface nodes that way. But aren't the XML files stored in the database?
|
|
Rank: Newbie
Joined: 1/24/2008
Posts: 20
|
hartvig wrote:umbraco follows Microsoft best practices and uses .NET parameters in queries, which means that the .NET framework will take care of handling SQL Injection rules. As such, umbraco ishouldn't be subject to SQL injection queries.
It's a good idea to have the potential of having another account to read from the db in the runtime engine, which even though it doesn't query the db when rendering pages, it does read template, etc. metadata when the whole application starts. I'll see if this could make it into 3.1. You're welcome to contact me if you want to discuss this (nh At umbraco "." dk).
Cheers,
Niels / umbraco Thanks for the information Niels. I'll pass it on to my client.
|
|
Rank: Aficionado
Joined: 10/2/2007
Posts: 123
Location: Czech Republic
|
Hi, I believe umbraco frontend is safe from sql injection (it has no inputs by default, and it use sql parameters) But what about XSS http://ha.ckers.org/xss.html specially with extensions like autoform or xslt search ? Thanks
|
|
|
Guest |