• Post Reply Bookmark Topic Watch Topic
  • New Topic

possible security issues with servlets connecting to a DB

 
Reggie McDougal
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there,

I need an opinion on the below approach in my application.

I have app using a controller, and within the app a form that points direcly to a servlet that makes a database connection, uses a prepared statement and inserts data.

What possible security issues are there in this approach, is ther a better way and more secure way to update and insert into my database?

If someone could give me some advice would be great.

Reg

[ January 31, 2005: Message edited by: Reggie McDougal ]
[ January 31, 2005: Message edited by: Reggie McDougal ]
 
Jeroen Wenting
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What's your fear?
If you control access to the servlet to the same degree you'd control access to the database noone can access the database.
In fact, you can control things far more finegrained than would be possible (at least easily) by giving people usernames and passwords to the database directly.

You can quite easily create a system of logins in which people have read-only access to only some parts of the application for example.
Try to handle that inside the database and you're looking at setting permissions on a per user basis on each table.

Of course if your servlet has no access control whatsoever everyone can access it and in theory cause a write to the database.
But even then (unless you're extremely careless) they can only use the exact SQL you yourself defined, and not just do whatever they want.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!