We have a bespoke c# web app that stores extra information about a physical folder structure. Every folder or file in the company share has a record in sql. We use the web app to search these records. I want to store active directory permissions of the physical paths against the sql records. What is the preferred method of querying AD...
I have a client-server application where a .NET client accesses all the data and stored procedures in a SQL Server 2008 database. Is there any way to protect all this data so that only the users I create and authorize can access this specific database? Especially the user 'sa' comes to mind. I don't like him to access all my data. ...
I have to generate roughly 18,000 PDFs that contain sensitive information. The PDFs will be served up through a web application to the end users. Obviously, some users need to see more reports than others. The two ways I'm thinking of serving up the PDFs are physically saving each PDF to a directory under the web application or storin...
Hi, How can I check and make sure that a class uses my own custom security attribute? I know that I can use reflection to get normal attributes, but if the custom attribute is based on a security attribute as shown below reflection doesn't show it. Is there any way to check that? Why I would need this is to make sure that a plugin that...
I am receiving the following error: ORA-12406: unauthorized SQL statement for policy I am executing a stored procedure that executes the following two Oracle Label Security stored procedures: SA_COMPONENTS.CREATE_GROUP SA_LABEL_ADMIN.CREATE_LABEL In the same transaction, but not the same procedure, I am trying to insert into a tabl...
I am currently working on a .net project which I am dividing into different assemblies. One assembly (a dll) will contain most of the domain logic, and the other assemblies (.exe) will contain most of the presentation and control logic. My question is, if I want to prevent someone from getting my DLL, and adding it as a reference on Vi...
Hey im working on my first php site, and was hoping to get some thoughts from you guys. 1- I'm using a txt file database, cuz its a simple set of scripts. I know that's not recommended, but i wanted to work with it some, before getting into mysql. Thoughts on this in general? Pros, cons? Vulnerable? 2- Related to the previous question ...
We use JAAS in a heavily loaded web server. The configuration file is loaded from a file, System.setProperty("java.security.auth.login.config", "/config/jaas.config"); During profiling, we noticed that the configuration is loaded from file for every login attempt. This is an I/O operation we try to avoid. Is there anyway to store th...
I'm building my own clone of http://statoverflow.com/sandbox (using the free controls provided to 10K users from Telerik). I have a proof of concept available I can use locally, but before I open it up to others I need to lock it down some more. Currently I run everything through a stored procedure that looks something like this: CREA...
If I have both the initial key and the hash that was created, is there any way to determine the hash algorithm? For example: Key: higher Hash: df072c8afcf2385b8d34aab3362020d0 Algorithm = ? ...
What are the best practices to prevent XSS vulnerabilities? A lot of people on here have mentioned whitelists which sounds like a good idea, but I see many people define the whitelist using a RegEx. This seems inherently flawed because it depends on many factors, the least of which is the RegEx implementation and the skill of the perso...
Hi, In my application users have their own "websites" which can be reached if they are signed in. However, since these websites are just directories containing html and other documents everyone in the world can reach them if they know the address. I can't have that :) A user should be able to decide whether or not thw world might see t...
I'm building a site and I would like to have external content dynamically loaded in a div using jQuery. The content could be a google search page, where one can navigate without actually leaving the site. Could someone exploit this and drive to a content of his own and run malicious code inside my site? Are there ways to prevent this? Is...
Hi, In C#, System.IO.File.Delete(filePath) will either delete the specified file, or raise an exception. If the current user doesn't have permission to delete the file, it'll raise an UnauthorizedAccessException. Is there some way that I can tell ahead of time whether the delete is likely to throw an UnauthorizedAccessException or not ...
In C# (2.0) How do I remove all permissions to a directory, so I can limit the access. I will be adding access back to a limited set of users. ...
I am trying to secure a MSSQL database for our .Net website. I wanted to separate the database into different schemas so that we had an schema like 'Account' which had personal information and a schemas like 'Public' that had generic public content data. Each of these schemas would be accessed using different SQL user accounts and they...
Consider an IIS6 Application under a web site: Windows authentication is enabled. anonymous is off This is an ASP.NET MVC application with Areas. The root web.config has the authentication and authorization nodes as follows: <authentication mode="Windows"></authentication> <authorization> <allow users="domain\abc, domain\xyz, ...
Scenario A: SqlConnection con = new SqlConnection(myConnString); SqlDataAdapter adp = new SqlDataAdapter("EXEC spGetUserInfo 42", con); DataSet ds; adp.Fill(ds); Scenario B: SqlConnection con = new SqlConnection(myConnString); SqlCommand cmd = new SqlCommand(); cmd.Connection = con; cmd.CommandText = "spGetUserInfo"; cmd.CommandType ...
Does anyone know of any API key generator script/class for PHP? The class should have method generate, that would generate a key and isValid() method, to check if the key is valid. Thanks! ...
Is it better when a user forgets their password to have them reset their password or to just send the lost password back to them? ...