Hi friends, I use CodeIgniter, and having trouble with hacking :( is it possible to make SQL Injection to the login code below: function process_login() { $username = mysql_real_escape_string($this->input->post('username')); $password = mysql_real_escape_string(MD5($this->input->post('password'))); //Check user ta...
I was looking through the docs and stumbled onto mysql_real_escape_string() and I'm not understanding why it's useful when you can just addslashes(). Can someone show me a scenario as to why it's useful? I'm also curious why it requires a database connection.... that seems like a lot of overhead. ...
I'm building a database class and thought it'd be a good idea to incorporate some form of SQL injection prevention (duh!). Here's the method that runs a database query: class DB { var $db_host = 'localhost'; var $db_user = 'root'; var $db_passwd = ''; var $db_name = 'whatever'; function query($sql) { ...
I am using a custom error page in IIS 6: <customErrors redirectMode="ResponseRedirect" mode="On" defaultRedirect="Error2.aspx"/> I want to disable authentication for the custom error page because the error being raised is related to an authentication module and I don't want to get into an infinite loop and I want to display a clean er...
Does anyone know if the current crop of SNMP based commercial and open source network management systems (eg, HP OpeenView/NNM, OpenNMS) support the use of SNMP over DTLS (http://tools.ietf.org/html/rfc4347)? Thanks in advance... ...
Hi. I just got a site to manage, but am not too sure about the code the previous guy wrote. I'm pasting the login procedure below, could you have a look and tell me if there are any security vulnerabilities? At first glance, it seems like one could get in through SQL injection or manipulating cookies and the ?m= parameter. define ( ...
Hey guys, I was scanning my site for security and I noticed that it was possible for non users to send requests and post information, so I decided to put login checks on all information posts. I was wondering if it was a good way to keep a session id that is created by md5(uniqid()); in a session variable $_SESSION['id']=md5(uniqid()); f...
I followed the answer to this question http://stackoverflow.com/questions/1245364/securing-elmah-in-asp-net-website to restrict access to the elmah handler. However, it seems that adding an RSS feed to Outlook for the URL elmah.axd/rss or elmah.axd/digestrss bypasses the authentication. What's the point of securing the handler if someone...
Hi, Having recently discovered design patterns, and having acquired the excellent Head First Design Patterns book (can really recommend it!), I am now wondering about design patterns for security and controlling access to records in data stores. My use case is a bespoke CRM style application, with contacts, businesses, and users who ha...
Hello, I'm working on games using javascript some html and css, and I was wondering if there was any way to secure the game so that the user can't just call game.php?result=victory to finish the game and earn some point. As of right now here are the solution I have. For a chance game, start the page with the result already in place, ...
I have a ClickOnce application used to view some documents on a website. When connected, the user sees a list of documents as links to http://server/myapp.application?document=docname. It worked fine until I had to integrate the website authentication/security system into my application. The website uses a ticketing system to grant acces...
Hi, I have build my entire website with flash and embedded several swf objects (slideshows) into it. everything always worked fine when I published it as swf movie. but now that I want to upload my website an error message occurs saying: Error #2044: Unhandled SecurityErrorEvent:. text=Error #2140: Security sandbox violation: file:///m...
I am unable to use an unsecure channel once a secure channel has already been registered. The code below works only if on the client side, the unsecured channel is registered before. Is it possible to mix secure and unsecure channels without any constraint on the registration order ? using System; using System.Collections; using System...
I'm developing a new user store for my organisation and am now tackling password storage. The concepts of salting, HMAC etc are all fine with me - and want to store the users' passwords either salted and hashed, HMAC hashed, or HMAC salted and hashed - not sure what the best way will be - but in theory it won't matter as it will be able...
I've been running around the interwebs for a fair few hours now and I don't think I'm getting anywhere fast. Here's my situation and problem, I have a WCF web service and a ASP.net website, both C# back end. When developing ASP.net websites in the past I've used the built in ASP.net configuration manager to do setup user roles and rule...
Okay, so what are the ramifications of getting a JS file via an HTTPS call while on a HTTP page. I assume it would just be a little bit of extra overhead. Would there be any warnings about this call from any certain browser? Don't ask why. It's just hypothetical. ...
Hello, we are developing a windows application, and as most apps out there, there is a login form. What I don't like is that the login form validates the user and opens the main form if user and pass are correct. Simple as is. All the function calls etc are called without verifying the user and pass again, what should be the right thing...
This is the javascript that you can find in www.twitter.com (just click to see the source code) I have just reformatted it for clarity: if (window.top !== window.self) { document.write = ""; window.top.location = window.self.location; setTimeout(function() { document.body.innerHTML = ''; }, 1); window.self.onload = functi...
Hi, I have seen many resources on using jQuery with rails where people recommend having callback functions in .js.erb files, however I have also heard that passing data this way leaves me vulnerable to man in the middle attacks. Is this true? What are the security concerns and is there a way to do it safely? Thanks ...