Security Coding Practices for Developers

We adhere to the following coding rules to prevent cross site HTML attacks, SQL injections, and so forth. We have also tested against SQL Injection. SQL injection attempts will usually cause the page to fail completely, thus preventing the attacker from viewing any data. The techniques are as follows:

1. Server.HtmlEncode ANYTHING AND EVERYTHING that comes from the user, or from the query string, that is rendered on the page output. This prevents JavaScript code insertions and other attempts to inject code fragments into the page. This even applies if you are writing a value out in a HTML comment field!

2. Use proper JavaScript form field validation routines, where possible, to restrict the range of inputs to an allowed value set.

3. Properly construct SQL queries, in combination with stored procedures as necessary for performance, to prevent SQL injection techniques.

4. Follow security guidelines set forth above on this page, including, but not limited to: adding Windows NT authentication security to your admin site, and maintaining good physical control over the servers, and your passwords.

5. Two (2) independent third party security auditors were given our source code, and reviewed our store site and search for holes. If your code is older than 3/30/04, you may want to contact us for the latest source fragments that we have incorporated. We are not posting them here for obvious reasons. Keep in mind that because we sell source code, adherence to strict security policies is paramount if you are making custom code modifications.