[3977] in WWW Security List Archive
Re: www, database and security
daemon@ATHENA.MIT.EDU (John Gervasi - Loral - X1468)
Tue Jan 14 12:05:42 1997
Date: Tue, 14 Jan 1997 09:19:21 -0500
From: gervasi@manassas1.tds-gn.lmco.com (John Gervasi - Loral - X1468)
To: ajenie@pop03.ca.us.ibm.net, joang@lix.intercom.es
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Mon Jan 13 22:37:45 1997
> X-Info: LMCO.COM is the new name for Reston.UnisysGSG.COM=20
All current Reston.UnisysGSG addresses are affected.
Lockheed Martin employees can check new user addresses at:
http://d197x.is.lmsc.lockheed.com/find-a-name/find-a-name.html
> Date: Mon, 13 Jan 1997 09:42:44 +0100
> From: "Joan G.Villaraco y Perez" <joang@lix.intercom.es>
> Mime-Version: 1.0
> To: Andre Jenie <ajenie@pop03.ca.us.ibm.net>
> Cc: www-security@ns2.rutgers.edu
> Subject: Re: www, database and security
> Content-Transfer-Encoding: 7bit
>=20
> Andre Jenie wrote:
> >=20
> > Hi,
> >=20
> > Maybe I can comment a little:
> >=20
> > > 1) Which methods exist to connect a database to the web?
> > > (Up to now I know about Sybase CGI interface and
> > > Sybase NSAPI interface - which else do exist?)
> >=20
> > I know about DB2WWW, one RDBMS from IBM. They are now concentrating
> > in providing the best solution for expanding the legacy database
> > connection (which mostly resides in DB2, IMS) to Internet/Intranet.
> > You can find it in www.software.ibm.com
> >=20
> > Or you can try also IIS from Microsoft. They have API that you can
> > use to connect your web server to any database through ODBC. You =
can
> > even use VisualBasic-like language to build your CGI using VBScript.
>=20
> What about connect them using JavaScript, with it you are able to
> connect with embedded code in HTML page and your able to connect to
> Sybase directly with native drivers. You are able to find it in
> http://home.netscape.com .
>=20
The problem is going directly to a database from the browser using =
JavaScript=20
you are circumventing any security implemented between the browser and =
server,=20
like SSL.
MY COORDINATES:
John J. Gervasi
Engineering Support Manager
Global Transportation Network Project
=20
Lockheed Martin=20
9255 Wellington Road, Building 102
Manassas, Virginia 20110-4121
=20
work 703.367.2534
fax 703.367.1076
e-mail john.j.gervasi@lmco.com
or gervasi@manassas1.tds-gn.lmco.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Remember, life is what happens to you while
you were hoping for other results. :-)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> >=20
> > > 2) Which security problems can arise with these methods?
> >=20
> > Basically, the database server will treat you as a one instance
> > connection from one client. So, any Internet connection will use =
the
> > userid/password that has been given to the Internet Server (maybe
> > somebody can add other security issues ??). Bottom line is we'll =
use
> > the security scheme that comes from the database system.
> >=20
> > Hope this will help.
> >=20
> > Thank You and Have a Nice Day,
> > Andre Jenie
> > Security Analyst
> > Jakarta, Indonesia
> > Thank You and Have a Nice Day,
> > Andre Jenie
> > Security Analyst
> > Jakarta, Indonesia
>=20
> --=20
> =
------------------------------------------------------------------------
> Joan G.Villaraco y Perez Tel =
34-3-580-2500
> Ingeniero de Sistemas Fax =
34-3-580-0995
> ADD Servicios Informaticos, s.a. (Trabajo)
> mailto:joang@lix.intercom.es =20
> Parque Tecnologico del Valles (Personal) =
mailto:joang@redestb.es=20
> 08290-Cerdanyola-Barcelona (SPAIN) =
http://www.add.es
> =
------------------------------------------------------------------------
>=20
