Can anyone shed some light on why DotNetNuke comes configured with request validation and event validation disabled? They’re both off at the web.config level for a default install which seems to be a regressive approach. Are there any sound reasons for this and what is the functional impact on DotNetNuke if they’re turned back on? Obvio...
Imagine I have an existing process running under windows as a particular user. Would it be permitted for that process to take its current token (with something like OpenThreadToken and DuplicateTokenEx), pass it to another process on the same machine (perhaps through a network socket or some other IPC), and then expect that process to be...
Hello everyone, I am using SharePoint Server 2007 Enterprise with Windows Server 2008 Enterprise. I have deployed a publishing portal. I am developing a ASP.Net web application using VSTS 2008 + C# + .Net 3.5 + ASP.Net + SharePoint Server 2007 SDK. I found sometimes we need to use SPWebApplication.FormDigestSettings.Enabled = false in ...
Hi , I am aware I should be using prepared statement's but my next project will be using prepared statement's I just need to finish this simple little application. So my question is: Is this following snippet of code secure ? I have used htmlentities aswell as mysql_real_escape_string because I thought it was a safe option. //Imag...
Hello, everyone! I've build a Netbeans project with enabled Java Webstart. The .jar itself seems not to be changed, but there are new files such as launch.jnlp. Inside there are some references to other jars and to that of the main project. The project now can be launched not only with java -jar MyProject.jar, but also with javaws laun...
Hi , How do I add into the list of items allowed (gif$|jpg$|png$|jpeg$) into the following code $regexp = "/[0-9a-zA-z\.]/"; if (preg_match($regexp, $imageInput)) also how do I add in an exclude list e.g so stop people unploading .exe files etc. Thanks EDIT I fixed it with the following code any advice on how to make it better ...
I'm developing an "offline" application for a local government that will be used to collect sensitive information. The application will sync back up to the mothership periodically, but it will generally be used offline. It'll be running on Windows, written in .NET/WPF. I'll need a small "local" database, so I'm looking at SQLite. I c...
Hi, It has a been a long day but I cannot seem to choose in my own head which is better or if I should use both. Basically what should I use to sanitize user inputted values. Is it either the htmlentities or preg_match function ? I will then if the value goes into a sql query use the mysql_real_escape_string function but only until I...
Hi I am developing my application in flex and JSP, so when I am passing values through HTTP Service Post method with request object but these values are tracing and modifying by testing team so I am planning to encrypt values in flex and decrypt it in jsp.so is there any algorithms like SHA or MD5 more secure algorithms, so please send a...
Usually, I try to set my folders to have permission 775, but some web-hosting refuses to let PHP writes or move files to any folders unless it has permission 777 (it may be open_dir or safe mode). Are there any ways to prevent any PHP files from being ran from such folders, in case a malicious PHP script has been uploaded there? ...
Possible Duplicate: Best way to stop SQL Injection in PHP I have seen some of examples that use something called a PDO to make a query safe from sql-infection, or others that use real_escape, but they all seem to be incomplete or assume some knowledge. So I ask, take this simple update query and make it safe from sql-injection...
For a webapplication, when HTTPS is not available as a security measure, is it possible to still make the login somewhat secure? E.g.: Tokenize logins, to make repeat attacks difficult? Somehow encrypt the sent password from a HTML password field? In particular I'm using CakePHP and an AJAX POST call to trigger authentication (includ...
Is this link sufficent for example for input filtering form data? With a post for example? <?php $var=300; $int_options = array( "options"=>array ( "min_range"=>0, "max_range"=>256 ) ); if(!filter_var($var, FILTER_VALIDATE_INT, $int_options)) { echo("Integer is not valid"); } else { echo("Integer is valid"); } ?> ...
Hi, I am working on a desktop app that will use Lucerne as search engine. The app will be installed on the user's machine and the index will be stored on the local hard disk. The data is potentially confidential so I would like to protect the index from unauthorized access. The data needs to be secure even when the user's machine gets ...
Inspired by the discussion in this question, a maybe stupid question. We have all been taught that leaving directories or files on Linux-based web hosting with the permission level of 777 is a bad thing, and to give always as little permissions as necessary. I am now curious as to where exactly lies the danger of exploitation, specific...
Hey everyone, I have a security related question. My web application allows users to input URLs. The URL is immediately stored in the database (no santization at this point. Is this wrong?). I'm using Linq to SQL so it's already parameterized. When displaying the hyperlink back to the user, I'm using a repeater. Do I need to encode the...
I want to retrieve MAC ID of all users who are visiting to my website. How can I do this ? Is it possible to retrieve MAC ID on Web ...
I am building a web application where i got trapped in login module. I was about to implement lock out functionality using IP address of machine but for Dynamic IP router can be restarted so I was thinking to store MAC address which was not feasible to retrieve on web. Then i tried to know functionality on GMAIL and Twitter Cases tha...
Hi there, quick question, is it secure to use the jQuery.post function in jQuery to pass a users login information to a PHP script? Im thinking about using a piece of code like this: $("#login_form").submit(function() { var unameval = $("#username").val(); var pwordval = $("#password").val(); $.post("backend.php", { username: una...
I'm currently working on a website for my church's college group, and am started to get a little worried about the security of what I'm writing. For instance, I use this function: function dbConnect() { global $dbcon; $dbInfo['server'] = "localhost"; $dbInfo['database'] = "users"; $dbInfo['username'] = "root"; $dbInfo['pas...