I know nothing can be 100%. That being said, are their any security risks to a server running XoJo as far as a hacker gaining access beyond the application itself. I have a firewall on a public IP, using PAT from port 80 to my WE app port number on the internal network. So I’m wondering about attacks such as buffer overflows or code injection on the client side.
Buffer overflow and code injection is safe as far as I know. At best you’ll get the Xojo web app to crash. The biggest concern that I know of is SQL injection attacks but as long as you’re using Prepared Statements you should be good.
We have a client that does intrusion detection that loves using Xojo apps because it passes their own intrusion detection system quite handily. This was a few years ago but out of their 20 tests Xojo passed the first 8 tests. That sounds bad but most websites/web apps only pass the first test and rarely make it past #3. Again, this was years ago and I know Xojo has done some things to make security even better.
[quote=230344:@Bob Keeney]Buffer overflow and code injection is safe as far as I know. At best you’ll get the Xojo web app to crash. The biggest concern that I know of is SQL injection attacks but as long as you’re using Prepared Statements you should be good.
We have a client that does intrusion detection that loves using Xojo apps because it passes their own intrusion detection system quite handily. This was a few years ago but out of their 20 tests Xojo passed the first 8 tests. That sounds bad but most websites/web apps only pass the first test and rarely make it past #3. Again, this was years ago and I know Xojo has done some things to make security even better.[/quote]
We also added some of this user’s suggestions to bolster the Xojo web framework.
Well, thanks guys, I learned something today. I’ve been using my own (old vb) function sqlsafe() to prepare users data for SQL statements.
We also added some of this user's suggestions to bolster the Xojo web framework.Hi Greg, it is good to hear XoJo is proactive in correcting potential security holes. Is there a formal place dedicated for security bulletins (other than release notes or in feedback system)?
No. When we get notification of a security hole, whether by Feedback or other means, we evaluate it and make corrections as necessary.
Just like any other product, using the latest version of Xojo means you’ve also got the latest patches.