I need to access Active Directory to get information about groups that customers belong to. The project I have is an ASP.Net MVC application using C#. I've never programmed against Active Directory before, and need some advice on what the best way to get started is, what security model to use to access the information, and maybe point ...
Hello guys, I'm making a service that among other has the "photo albums" feature that serve photos to users. User has to be "allowed" to see the photo from the album. So sending the direct link to other person shouldn't allow to view photo. Photos are stored in the folder outside of the context. What I need to do is to perform some c...
We want to AutoLogin feature to allow user directly login using link into our Web Application. What is the best way achieve this? We have following approches in our mind. 1) Store user credentials(username/password) in cookie. Send cookie for authentication. e.g. http: //www.mysite.com/AutoLogin (here username/password will be passed ...
I have a classifieds website with a picture script for uploading pics onto the ads. The pics are uploaded to the "images" dir. The php code which does this requires write access to the directory I am guessing... So, what permissions would you set to the php upload file, and the images directory? I am thinking like this: drwxr-xr-x ...
I have checked out articles and tutorials. I don't know what to do about the security of my picture upload-folder. It is pictures for classifieds which should be uploaded to the folder. This is what I want: Anybody may upload images to the folder. The images will be moved to another folder, by another php-code later on (automatic)....
Hi,So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss? Thanks. ...
I have a document library with a PDF file. Whenever I click on the PDF file, I am prompted to save the file. I do not get the option of opening the file, I am forced to save it. What I want is for the PDF file to open, either in the browser or in a separate Adobe Reader window, depending on the Adobe Reader settings. I'm pretty sure ...
I've worked with WebSphere, WebLogic, JBoss, and other app servers in the past. Now, I'm working on an app that will be deployed using Tomcat 6.x. While I prefer using the command line or XML config files, there are times when a good administrative console comes in handy. I've looked at the admin console that Tomcat comes with and fou...
I keep hearing from people that Macs don't get viruses. Is this true? If so, is it because OSX is programmed in a more secure way? What makes it less prone? ...
I am wondering is there any sort of C# class or 3rd party library that removes dangerous characters such as script tags? I know you can use regex but I also know people can write their script tags so many ways that you can fool the regex into thinking it is OK. I also heard that HTML Agility Pack is good so I am wondering is there any ...
In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this: Post.all(:conditions => ['title = ?', params[:title]]) I know that an unsafe way of doing this (possible SQL injection) is this: Post.all(:conditions => "title = #{params[:title]}") My question...
Hi all, I was wondering if it was possible to generate security credentials per individual Amazon S3 bucket. I am working with a developer and would like to grant him access only to the bucket we are working with. It's not a trust issue, it's more a concern that he'll delete the wrong bucket or its contents. For example: If we were wor...
I have many params making up an insert form for example: x.Parameters.AddWithValue("@city", City.Text) I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway.... Should I be adding my input params like this? x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text)) Is the...
I am using a function Rename() (php) to move some images from one folder to another. The destination folder has special characters in them. However, when doing this on the server I get the error that the folder isn't found with the name. And in that error, the folder names special characters are replaced with Squares: Warning: rename(...
Hey all Are there any pre-made scripts that I can use for PHP / MySQL to prevent server-side scripting and JS injections? I know about the typical functions such as htmlentities, special characters, string replace etc. but is there a simple bit of code or a function that is a failsafe for everything? Any ideas would be great. Many tha...
I have this function inside a php file: mysql_query("SET NAMES 'utf8'") or die(mysql_error()); mysql_query("SET CHARACTER SET 'utf8'") or die(mysql_error()); some stuff happening here, rename($src, $dest.$cat); Thats on the server, and is the setup I have today which works (atleast on my browsers). Now, on my local machine (my...
I am thinking about setting the php.ini, my.cnf and httpd.conf default charsets=UTF-8 The website is in swedish lang only. I have some folders with special chars in them, also some files. Is there any harm by doing this? Is it cross-browser safe? Thanks ...
I have a passive STS set up for a new application I'm working on. I've noticed that when a user's session expires, the user is still authenticated. I would have thought that when the session expires, the user would no longer be authenticated. My boss discussed this with me as I am currently charged with setting up the authentication. ...
I have a web application that I would like to allow persistent access to that is not dependent on the browser cookie system. Is there something that will allow me to, upon the first user authentication, send the browser a certificate which the app can check for periodically or upon future returns to the site? Maybe some take on an SSL? ...
Is it generally a really bad idea to not use the built-in asp.net membership provider? I've always rolled my own for my asp.net apps (public facing), and really have not had any problems in doing so. It works, and seems to avoid a layer of complexity. My needs are pretty basic: once setup, the user must use email address and password t...