开发者

Are servlets good to use for my websites login confirmation page?

I am creating a web site in which user will be registered and he/she will be redirected if he/she has account.

So I was thinking to use servlet to link开发者_JAVA百科 form and database.

Is it safe to use from hacking.?

Which is the best language which has less chances to get hacked than servlets ?

Well I am quite exicited to create it but I really don't want hacking my site very easy task.


As long as you are using Java for web forms, at some point any framework you use is based on servlets. So if you use them properly, yes it is safe.

The main point to keep in mind to prevent cracking your authentication (if database based) is SQL injection. As long as you use Hibernate, JPA or prepared statements you should be safe.

If using Tomcat, you can also start with Tomcat native authentication.


Just like any other framework, it's reasonably safe from hacking and not totally immune. You will be vulnerable to:

  • mistakes in your code/logic;
  • vulnerabilities in Tomcat/your servlet runner as they are discovered;
  • vulnerabilities in the JVM as they are discovered;
  • vulnerabilities in the OS;
  • vulnerabilities in... well, you get the idea...

In other words, it's essentially not so different anything else you might decide to use (be it PHP etc). I personally prefer Java to e.g. PHP because I have more confidence that there isn't some random default setting that's going to put the app at risk. But that's also because I'm far more of an expert in Java than PHP-- "use the technology you know best" is also another strategy...

Main things to keep in mind, apart from keeping your infrastructure updated:

  • don't use "raw" SQL to access the DB: at least use prepared statements, and for good measure implement some sensible validation on user input;
  • look at the Servlet Session API;
  • you generally want to check the logged in user for every page request: not sure exactly what you meant by "redirection";
  • if possible, firewall off "raw" access to the database, so that only localhost/the app server (if hosting DB on a separate server-- guess you won't to start off with) can access your DB (if you need to access remotely, consider a VPN connection).

I also wouldn't necessarily just "dive in": have more of a read round the subject.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜