> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Ted Roche > Sent: Thursday, December 09, 2010 5:12 AM > To: [email protected] > Subject: Re: VFP and Web acces > > On Wed, Dec 8, 2010 at 9:18 PM, Sytze de Boer <[email protected]> > wrote: > > > Lets say I just want to have a system where > > 1 Client logs in with password > > So, there's 400 - 1000 clients with unique and secure passwords. Where > do these come from? How are the generated? How do you get them to > clients? Email is insecure and passwords should _never_ be sent that > way. Bear in mind a malicious user (client or hacker) with a password > can find out if there are any security flaws (SQL overflows, flaws in > your chosen platform) with the goal of taking over the machine for > their own use. Any web application exposed to the internet is going to > get probed by automatic scripts that have nothing better to do than > try hundreds of well-known exploits; I see them in my web logs every > night. >
<great stuff snipped> Ya - what Ted said.... <g> Along the same lines, perhaps different way of saying the same thing: If you just throw HTML page up there exposed to the web with textboxes for the user to fill in and a Submit button on it - trust me - the bots will find it and flood your server by slamming that button over and over and over. I could show you an example of where this happened on one of my sites but I've since taken it down so no joy there.... The user login Ted referred to is of course critical - but don't bet the farm that everything coming into your database will be from a bonafied client. Does this HAVE to be an app hosted on your server with an interface? i.e. could you get away with a simple web page run locally by the clients and then they do a data feed to the host? If they can query the table in any way, then you have to code around SQL Injection security problems - not as simple as you might think. If you do have the app run locally and Post the data back to the server now you have encryption to worry about. And of course, like Ted said - did it make it there? You sure? Consider yourself lucky that you have friends out here shooting holes in the so called 'simplicity' of the overall plan - better have us do it than Joe Hacker after the fact.... It ain't a warm and fuzzy world wide web anymore.... Thanks, Matthew Jarvis || Business Systems Analyst IT Department McKenzie-Willamette Medical Center 1460 G Street, Springfield, OR 97477 || Ph: 541-744-6092 || Fax: 541-744-6145 -------------------------------------------------------------------------- Disclaimer: This electronic message may contain information that is Proprietary, Confidential, or legally privileged or protected. It is intended only for the use of the individual(s) and entity named in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete the material from your computer. Do not deliver, distribute or copy this message and do not disclose its contents or take any action in reliance on the information it contains. _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/69f310c05dd83c48a84ba3769ce1ecf804063...@tntriexevs02.triadhospitals.net ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
