I'm using Django Contact Form on a website to allow visitors to send emails. Currently, it's escaping characters, so single and double quotation marks are converted to ' and " respectively. The emails would be more readable if quotation marks were displayed as ' and ". I understand why I should never put unescaped input from ...
hi, i have a problem with define permission for my applet that would to spacial resource access like get user.name property or file system command like create,read, write directory or files... the applet must write any data -ex. images- that received from a web application in such files in temp directory with using user.name to make ...
I am trying to secure my PHP Image upload script and the last hurdle I have to jump is making it so that users cannot directly excecute the images, but the server can still serve them in web pages. I tried changing ownership and permissions of the folders to no avail, so I am trying to store the images above public_html and display them ...
Im making a login/logout class that logs users in, sets cookies based on user's choice. The user enters their email/password and it checks the database, email/password combo exists a session is created, and a cookie is set (with the users id) and the user is redirected... I then have a function that logs users in by taking the user id sa...
Is there a way to have a .NET assembly accessible for only authorized sources? I mean I want to have a DLL that contains components, but I don't want anyone to be able to use these components but the other DLLs EXEs in my solution. I do want them to be in separated DLLs though. Restriction on namespace might also be a good idea if this...
hi i find out that i must write a policy file to grant permission for my applet... but i really confused with it... :( i want to write a applet that is a map viewer, i need to save image tiles on client that run my applet to locally access tiles for gain speed and time safely viewing map which is benefit to user... so, the applet nee...
I have a web application which has basic authentication - username, password, session and stuff. However I have a specific need to prevent users from spoofing the POST requests (even for logged in users). In my application, I am specifically validating the user's session before accepting the POST data (taking care of XSS and stuff also)....
I have a website that's using forms authentication and membership. A user must have cookies enabled to use the site. I've been asked to change the code so that the session id is changed as soon as a user logs in. Aparently this will protect against a Session Fixation attack (http://en.wikipedia.org/wiki/Session%5Ffixation). Does anyone ...
Dot Net Auto Update I felt like .net was lacking a simple secure automatic update library so I've implemented something and put it up here. Before anyone considers using the library I was keen for the update process to get a bit a peer review. Here are the steps: The client software is populated with a public key and URI to poll. Cl...
What are the issues with using a php file instead of a .js file in a javascript include; <script type='text/javascript' src='myjavascript.php'></script> Obviously I will go through and plug register globals issues and such, but are there other vulnerabilities that could occur from this? Consider that 100,000+ people will be viewing th...
I'm using ASP.NET Sitemaps with a custom Role Provider to generate a site Menu that displays available links depending on user role. This works fine if the roles don't change while a user is logged in. When the roles do change while the user is logged in, the Menu isn't automatically updated (I've checked, and the Roles.GetRolesForUser(...
I'm not new to Drupal module development, but am new to the security system. Our users authenticate via a system-wide NetID, so we don't need or want a password. We do, however, still need a local user account so users can post, change their profile, etc. Because we needed this change fairly quickly, I've modified the /modules/user/user...
Hi, does anybody know of a secure 'read-once' local file access system? Or how one might create one? I realise that if data is to be used on a system, then it must be capable of being read, but I think it may be possible to severely limit how data is made available and reduce the possibility of it being copied and used elsewhere. These ...
Hi, Trying to prevent access to a specific file, not any files with a certain extention, just one specific file. The issue is that the end user can just type: /filename.xml into their browser and can see the contents of this file, i'd rather they not be able to see this. Things I have tried: 1) Putting the file elsewhere I have a "...
This question has problably been asked before, but it seems like I can't phrase my search correctly enough to find the answer. Normally when you sign up to get access to a forum on the internet, an authorisation email is sent to you and you can click a link which leads you to a page which performs the authorisation. What I want is to s...
I have a few services that are being consumed by clients within a secure zone. I've been asked to protect these services typically against development clients mistakenly connecting to the wrong service. The idea was to pre-shared key (like a guid) which is set in the config for both the client and the service host. Whenever The client t...
Hello! Problem: I have dynamic pages in PHP where the content is shown according to the given id. The id is always submitted via a GET parameter: page.php?id=X This causes a problem: Site visitors can enumerate the ids and simply walk through all the different content pages. This shouldn't be possible, of course. How could this be sol...
What is the (or a) recommended way to implement security for Scala Remote Actors (authentication of remote nodes allowed to speak to this actor, and encryption of the contents of the discussion)? Has anyone done this; how did it work out? SSL... some Java library... some JSR... custom serialization... only VPN is going to work on this...
How do I get the granted permissions for a stored procedure in sql server 2005? ...
Can I specify a different database than ASPNETDB using SqlMembershipProvider? I am developing a site on a shared host, and have to restrict my data schema to a single provided database. I was roundly scolded last time I suggested rolling my own authentication code. Alternatively, is there some other packaged authentication system I co...