mysql_real_escape_string is used for SQL statements. Is it enough for database security alone? For example with get_magic_quotes_gpc() we have use stripslashes. Is there any issue that we have to know about using other function with mysql_real_escape_string ? Thanks in advance ...
I am coding a data intense web app. So that means I cant be possibly doing any computations on sever- computation after every event involves huge data too large to be sent to sever again & again. So I have to do all execution & keep all data on clint side only. Currently I am using JS to do so. Is there a way by which I can protect my ...
I just wanted to run my login script by you guys to see if there are other security measures that i should take. I know that i need to move my DB constants to a config file but aside from that and some error handling, what other checks to i need to add to make sure this script is secure? <?php ob_start(); session_start(); ...
What are the options for secure password/credential storage on a host and propagation of changes across a fleet of hosts? An example would be you have fleet of size N and you want to store credentials, such as AWS access keys, on those hosts. The simple approach is to store it in the source code or a config file, but this is bad beca...
Hello All, I have a specific case here in which I would like some security advice. Basically my question is "If I control what is in a database (no user submitted data), is there a security concern to returning the results of a database query in HTML (via AJAX)"? Here's the process that is happening: daily build generates an XML doc...
I have a WCF Service hosted on a server with Real IP but no domain name. Clients are .NET desktop applications. I need to encrypt the data going back and force between the clients and the server. How can I do that? I understand that Certificates required for the SSL connection need a domain name. is this accurate? What options do I have?...
I have been using my own internal custom authorization model which evaluates whether a user has permission to view, edit, delete, or create an item. For instance, one place I use this is to determine if a user has permission to view a resource. I have some restrictions such as whether the item is published, whether the user belongs to ...
I maintain a program that sends messages between users. The clients connect to a WCF-service that is hosted in IIS 7.0 on my domainserver. Up to now I successfully used basicHttpBinding for this, without any configuration. Now, I want to change to wsHttpBinding because this should encrypt the transport of the messages. The server has a c...
In my web admin area I have using very simple logic: session_start(); ob_start(); if(!isset($_SESSION['user'])){ header("Location: login.php"); } contents... ob_end_flush(); Yes this is working perfect, redirect to login page. But the comic point is that I can see the content of index.php (that protected!!!) here What is wrong? T...
I know all the security issues. SQL injection, XSS issues, SSL, session hijacking , I have read security books etc. But yet, I feel that a backroom boy laugh me ! I want to hack my site ethically before backroom boy did this illegally?. From Where I can start? How can I make sure that I use security preventions correctly? Thanks ...
Hi, I am creating a website which has user accounts. For each user account, the user can do stuff like update their personal details, write a blog etc. When the user wants to edit a blog, i have the following form (this is a simplied version). <form action="goToThisPage.php" method="get"> <input type="hidden" name="blogID" value=...
In bouncycastle I can create a DEROctetString starting from a KeyUsage. How can I obtain KeyUsage starting from a DEROctetString then? Example: DEROctetString derString = new DEROctetString(new KeyUsage(KeyUsage.digitalSignature)); KeyUsage ku = ...(some code to get back KeyUsage starting from derString)... I need this because I'm a...
We're building a set of external web services to be consumed client-side (using jquery/AJAX) by visitors to our site. The web services need to be publicly available but we'd like to limit access to site visitors. Importantly, the site in question sits behind a CDN and we cache page content for 24 hours; AJAX requests would preferably b...
I have a WordPress plugin that loads pages with AJAX and to ensure compatibility with other plugins and "widgets." As of right now I use the following code to evaluate all inline JS that is inside the content blocks to be updated: function do_JS(e){ var Reg = '(?:<script.*?>)((\n|.)*?)(?:</script>)'; var match = ne...
Hi, I am in the process of migrating to spring security plugin from acegi plugin.Currently working on grails environment. I am facing a weird issue as my authentication success event and authentication bad credentials event does not throw at all.I added println statements in the callback in config.groovy and also through listeners.Howeve...
Hello All, I am developing an Asp.Net MVC website using Windows Identity Foundation and STS website for authentication. it works fine as whenever a user tries to access a URL, it redirects to STS website if that session is not authenticated. Now I want to add a page in the application which should be available without authenticating in...
Prologoue: I have a simple web-API accecible over HTTP with some corresponding mobile apps reading that data. Now someone decompiled an app / sniffed the HTTP traffic, got the url to my web API and build his own client acting like one of mine. How can i secure the access to my API only for my own clients? Even with the thaugt of someon...
I have a CMS application in which i want to apply security on user actions like user1 can have rights to add new page but doesnt have rights to delete that page im maintaining this rights in database. Please tell me what may be the best approach to implement security to this CMS ...
What is the difference between the hashing methods available in php md2 md4 md5 sha1 sha224 sha256 sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160, 4 tiger192,4 snefru snefru256 gost adler32 crc32 crc32b salsa10 salsa20 haval128,3 haval160,3 haval192,3 haval224,3 hav...
Is it possible to disallow the use of ENV and ENV_JAVA in JRuby? I allow user supplied ruby code to run in servers, and I believe allowing them to use ENV and ENV_JAVA is not a very good idea. I was able to disallow the use of System.get/setProperty() using Java's Security Manager, but I haven't had much success in this case. Thanks i...