Summary of java in web development security

1. Verification of the original data input by the customer does not depend on Script. Although the verification of input data on the client side such as JavaScript is more convenient, it cannot be used for security reasons. Scripts are unsafe and users may block scripts. We can send user data to the server and verify the legality of the string on the server.

2. Input identifier of HTML Remove all input sprite brackets '& lt;' '' & gt; ',

## 3. HTML to bury the data (' & lt ;' '>' ' and ' '"' ' ' ' → 'is<' '>' 'is μ"' ' &39;' is replaced every other). (2) (3) Caused by cross-site scripting (css), the solution is to avoid the appearance of script symbols.

URLでPermissionされる字

Alphanumeric「;」「/」「?」「:」「@」「&」「=」「+」「$」「,」 「-」「_」「.」「!」「~」「*」「'」「(」「)」「%」

4. All web pages that need to be protected must have a user certification authority.

After logging in, save the userID in the SESSION and add a script to each page that needs to be protected for verification. If the session is empty, the verification fails and you need to log in again.

The following information is subject to special processing:

*Password

*Personal data such as email content of Web mail

*Name, age, address Personal information

*Data structure inside the Web application system

*Various system information such as the maximum time ticket inside the Web server

→[1-3 .]

5. The sessionID that can be inferred in advance cannot be defined, →[1-3.]

6. The key and important data parameters should not appear in the URL when sending

Use post to pass parameters. And countermeasures:

*Encrypted communication based on SSL

*Interference strategy.

*Hijacking Countermeasures During Conversation

7. The data in the hidden field cannot be modified and transferred (the value of the hidden field cannot be displayed, but it will be transferred and the value can be viewed in the html source file to prevent it from being The value is modified and passed) Do not use hidden to retrieve data. The improvement method is to use session to save hidden data →[1-5.]

8. The was sent from the WWW browser The value of the item, the value of the radio item, and the value of the checkbox item must be verified to see if the data submitted by the above control is legal. →[1-6.]

9. When writing SQL, write it in combination with variables. Check first and then submit (filter the variables submitted by the user before putting them into the SQL text) →[2-1.]

10. When assembling SQL, enter the data (') and semicolon (; ) needs to be processed. The reason is the same as 9) →［2-1.］

11. Do not embed the database password in the script. Regarding the settings of sensitive data, you can set them in the configuration file, and Windows can set them in the registry. →［2-2.］

12. When accessing the database, user permissions are set separately. Different user permissions are different, which can be achieved with the help of database permission settings, which is beneficial to improving security. →［2-3.］

13. Import of Java class package. Only import the required classes, and do not import unused packages and classes. This will help improve security and prevent others from using redundant classes to obtain information, especially several sensitive class packages →[3-1.]

14. Use security policy file (policy) settings to control the execution permissions of files.

File path: ${java.home}/lib/security/java.policy

package org.penglee.policy.test;
//permission java.io.FilePermission "c://winnt//system32//notepad.exe", "execute";
import java.io.IOException;
 
public class NoSecurityManager {
         public static void main(String[] args) {
//                     SecurityManager mySecurityManager = new SecurityManager ();
//                     System.setSecurityManager (mySecurityManager);
                       try {
                                     Runtime myRuntime = Runtime.getRuntime ();
                                     myRuntime.exec ("c://winnt//system32//notepad.exe");
                       } catch (IOException e) {
                                     e.printStackTrace();
                       }
         }
}

Copy after login

→［3-1.］

15. Set as private class ( private) to restrict the modification of data in the class, or define an interface to implement it. →[3-2.]

16. The data serialized by the program is not encrypted. To prevent using the serialized data to read sensitive data, you can use transient to process the serialized data. →［3-3.］

17. Use final classes except those that obviously need to be inherited. This prevents inheritance from being exploited to obtain sensitive information. →［3-4.］

18. Use AssertionError to throw errors. Please refer to the api documentation of this class for details→[3-5.]

19. Pay attention to the data inconsistency caused by thread synchronization to increase data security. →［3-6.］

20. Avoid relative paths in the input. An error occurs when a relative path is included. The reason may be that sibling folders are accessed. →［4-1.］

26. Try to avoid clear text passwords. It is best to encrypt sensitive data. It is recommended to use sha encryption →[9-1.]

27. Use sha encryption. →［9-1.］

28.29． Use the program to check the path (prevent relative paths) to check the security of the file name and data, and report an error if it contains special characters. →［9-2.］

30.31． In order not to teach too much, be very careful when doing the error message when logging in. User-facing error messages should not be sufficient to prevent users from inferring information about the internal structure of the program. →［9-3.］

32. Minimize the part of data processing that requires privileged use, and try to avoid the prevalence of general data processing privileges. Use a username with less permissions to log in, and try to avoid using special permissions to process general data. →［9-4.］

The above is the detailed content of Summary of java in web development security. For more information, please follow other related articles on the PHP Chinese website!

Related labels：

java，web，安全性

source：php.cn

Previous article：Oracle stored procedure and stored function creation example tutorial Next article：Java--program flow control

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Latest Articles by Author

• Detailed explanation of the 'elseif statement' example of PHP conditional control statement
  2023-03-07 13:08:02
• How to parse URLs with Chinese characters in PHP?
  2023-03-13 16:16:02
• SQL statement to remove duplicate records and obtain duplicate record example code
  1970-01-01 08:00:00
• PHP session validity period problem
  2023-03-13 09:38:01
• PHP user password encryption algorithm analysis
  2023-03-13 14:30:01
• vue.js implementation of imitating native ios time selection component development experience
  1970-01-01 08:00:00
• How to use JS to format the date type read from the database into the desired type
  1970-01-01 08:00:00
• php operator precedence order
  2023-03-10 21:22:02
• Methods and techniques for controlling the read-only or writable attributes of a text field using JS
  1970-01-01 08:00:00
• Detailed explanation of PHP expression concepts and examples
  2023-03-07 12:38:01

Latest Issues

function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...

From 2024-04-29 11:01:01

0

3

2225

How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?

From 2024-04-23 00:22:19

0

11

2370

The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.

From 2024-04-19 15:37:47

0

1

1979

There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...

From 2024-04-18 23:52:34

0

1

1864

Where is the courseware about CSS mind mapping? Courseware

From 2024-04-16 10:10:18

0

0

1936

Related Topics

More>

• java
• java regular expression syntax
• Is it difficult to learn Java by yourself?
• java configure jdk environment variables
• Java retains two decimal places
• java basic data types
• What is the use of java
• java online website

Popular Recommendations

• How to develop app software
• How to change the font size of eclipse
• What are the java data types?
• What is maven used for?
• What is the role of tomcat

Popular Tutorials

More>

Related Tutorials

Popular Recommendations

Latest courses

• 
  The latest ThinkPHP 5.1 world premiere video tutorial (60 days to become a PHP expert online training course)

  1423172
• 
  PHP introductory tutorial one: Learn PHP in one week

  4268715
• 
  JAVA Beginner's Video Tutorial

  2536478
• 
  Little Turtle's zero-based introduction to learning Python video tutorial

  507438
• 
  PHP zero-based introductory tutorial

  862757

• 
  The latest ThinkPHP 5.1 world premiere video tutorial (60 days to become a PHP expert online training course)

  1423172 times of learning
• 
  JAVA Beginner's Video Tutorial

  2536478 times of learning
• 
  Little Turtle's zero-based introduction to learning Python video tutorial

  507438 times of learning
• 
  Quick introduction to web front-end development

  215852 times of learning
• 
  Master PS video tutorials from scratch

  890401 times of learning

• 
  [Web front-end] Node.js quick start

  7472 times of learning
• 
  Complete collection of foreign web development full-stack courses

  5959 times of learning
• 
  Go language practical GraphQL

  4937 times of learning
• 
  550W fan master learns JavaScript from scratch step by step

  697 times of learning
• 
  Python master Mosh, a beginner with zero basic knowledge can get started in 6 hours

  24737 times of learning

Latest Downloads

More>

Web Effects

Website Source Code

Website Materials

Front End Template

• [form button] jQuery enterprise message form contact code
• [Player special effects] HTML5 MP3 music box playback effects
• [Menu navigation] HTML5 cool particle animation navigation menu special effects
• [form button] jQuery visual form drag and drop editing code
• [Player special effects] VUE.JS imitation Kugou music player code
• [html5 special effects] Classic html5 pushing box game
• [Picture special effects] jQuery scrolling to add or reduce image effects
• [Photo album effects] CSS3 personal album cover hover zoom effect

• [Front-end template] Home Decor Cleaning and Repair Service Company Website Template
• [Front-end template] Fresh color personal resume guide page template
• [Front-end template] Designer Creative Job Resume Web Template
• [Front-end template] Modern engineering construction company website template
• [Front-end template] Responsive HTML5 template for educational service institutions
• [Front-end template] Online e-book store mall website template
• [Front-end template] IT technology solves Internet company website template
• [Front-end template] Purple style foreign exchange trading service website template

• [PNG material] Cute summer elements vector material (EPS PNG)
• [PNG material] Four red 2023 graduation badges vector material (AI EPS PNG)
• [banner picture] Singing bird and cart filled with flowers design spring banner vector material (AI EPS)
• [PNG material] Golden graduation cap vector material (EPS PNG)
• [PNG material] Black and white style mountain icon vector material (EPS PNG)
• [PNG material] Superhero silhouette vector material (EPS PNG) with different color cloaks and different poses
• [banner picture] Flat style Arbor Day banner vector material (AI+EPS)
• [PNG material] Nine comic-style exploding chat bubbles vector material (EPS+PNG)

• [Front-end template] Home Decor Cleaning and Repair Service Company Website Template
• [Front-end template] Fresh color personal resume guide page template
• [Front-end template] Designer Creative Job Resume Web Template
• [Front-end template] Modern engineering construction company website template
• [Front-end template] Responsive HTML5 template for educational service institutions
• [Front-end template] Online e-book store mall website template
• [Front-end template] IT technology solves Internet company website template
• [Front-end template] Purple style foreign exchange trading service website template