The Source for Java Technology Collaboration


MIFOS Project Home         MIFOS Wiki Home

See MifosFaqs#What_security_does_Mifos_provide for a summary of some of the security features of MIFOS.

Technical aspects and TODOs

We prevent SQL Injection attacks by not building SQL statements directly from strings. See Hibernate documents for details (we used named queries which name variables to be substituted with a colon, for example :prdOfferingName).

In generating HTML, we need to quote all data (less than, greater than, and ampersand). Some of our code does this via MifosTagUtils#xmlEscape. You can help MIFOS by helping us find places we need to be calling it. This approach, of generating HTML via strings, is an error prone one; one easy step which can be implemented incrementally is to change string operations to XmlBuilder which automatically quotes all text which is output, and provides separate methods to safely generate tags.

See also

SecurityPage

Topic Security . { Edit | Ref-By | Printable | Diffs r1 | More }
 XML java.net RSS
Feedback  |  FAQ  |  Terms of Use
Privacy  |  Trademarks | Site Map

Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.

Copyright © 1995-2006 Sun Microsystems, Inc.
Collabnet Logo Cognisync Logo
Powered by Sun Microsystems, Inc.,
CollabNet and Cognisync

Revision r1 - 27 Feb 2005 - 10:25:32 - Main.jkingdon
Parents: MifosFaqs
TWiki (TM) Copyright © 1999-2003 by Peter Thoeny ALL RIGHTS RESERVED