My long-awaited article on Data Access Layer security is here! None of what I talk about is really new information, but it is put forth in a very unique way. Here's an excerpt:
For many developers, building applications is a lot like building a family. The Business tier is like the oldest child: mature and responsible, it knows how to handle everything, and is good at telling people what to do. The Presentation tier is like the youngest child. The baby of the family, this one is cute, flashy, and gets all the attention. The Data tier is often like the middle child: pivotal to the family unit but largely unnoticed, insecure, and left to fend for itself. In this article, I'm going to show you how to nurture your middle child, the Data tier, and give it the tools it needs to survive in harsh environments.In this article I address several issues, such as SQL injection attacks, direct query statements, and poor object-oriented code. My editors totally removed the section where I talk about Interscape's SQL sandbox, but oh well. I'll discuss it more at a later date. I spent a lot of time on this article, because the topic needs to be addressed. I would highly recommend that you go check it out.