I have developed a social networking site for gardeners website, and am interested in giving users the ability to add images to their "tweets". If I allow them to upload images to the actual site, it seems like this will quickly become expensive (this is a side project, not funded by anyone than myself and my own obsessions). Let's say...
In my app, I have a "User" model, which includes a number of attributes including "has_admin_rights". If true, the user is an admin, if false, they aren't. Each user has a profile, with their login name, email address, profile pic, etc. If I'm logged in as a regular user, I can click on a page called "profile", and I can edit my own ac...
Under SQL Server 2008, you can set the permissions for a given user down to the table and/or field level. In the GUI, it's easy to select the "Securables" and apply them, but is it possible to script the changes? ...
i'd like to recieve comments on the way i'm trying to build an asp.net web application which uses a WCF service that is hosted in another asp.net application. Both applications will live on the same machine, but the app with the WCF service will not be accessible from the outside. there will be two web servers sharing the load behind a l...
Hi, I use this class (taken from a blog tutorial) to generate unique keys to validate a form: class formKey { //Here we store the generated form key private $formKey; //Here we store the old form key private $old_formKey; //The constructor stores the form key (if one excists) in our class variable function __co...
I'm working on encrypting some database fields. By encrypting of course I lose some search functionality. I found this library called SQLCipher which handles the encryption at the database level, but it's for SQLite. Is there something similar for MySQL? ...
in jquery 1.3.2 for jsonp requests i used to this var _options = { url: 'someexternal_url', type: 'GET', dataType: 'jsonp', success:_aSucFnToHandle, error: _anErrFnToHandle }; $.ajax(_options);// this ignores any error if occurs on url so i added below script and changed my ajax reques...
hey I don't know much about these type of things so please excuse the NOOBness I am sending a HTTP Request to a server and I want the server to know that the request is authentic, so I have a p12 with a certificate and key (pre-made by the server) bundled with my application that I extract and use as a credential when I send my request...
(Yes, I know that questions pertaining to lighttpd fit better on SF, but I thought it was more apt to be asked here since it's primarily concerned with security policy.) We're planning to set up a small web server in my college, so that people could get some web space to put up web pages and the like. They could also upload PHP pages. T...
I have to store a demo install date somewhere on a client PC. The app demo period is calculated on the install date. Obviously it must be impossible for users to edit or delete this value. How can this be done ? We can't use HKLM registry because of Citrix Can't use /Program Files because of Vista Can't use /Documents and settings bec...
I wrote a PHP script which will run every Monday using cron. In this email I am attaching an XLS document which contains sensitive information. What is the best way to secure this email? Can I set a password on the XLS document? Can I encrypt the email and only allow the correct receiver to have authorization to open it? I am using PHPE...
Hi; For a secure url query, what is more secure? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ? thanks in advance ...
I need to make sure that every users accessing my web application can do that from one machine only, so 100 users would mean 100 machines. What would be the best solution? Is detecting and storing IP during first login good idea? I think IP might change even during lifetime of the session is that right? I was also thinking of storing coo...
Is it feasible to allow users to login to my web application (php/mysql) using thumb scanner? USB scanners seems available and not too expensive, but has anyone got experience with it? How to make it work with php so users instead of filling in regular username/password fields would actually be able to login by scanning thumb. Are there ...
Is it possible to get into legal trouble for identifying vulnerabilities in a web application even if you don't exploit them? I have considered using tools like NetSparker on occasion to see if a site has any vulnerabilities and I'd like to contact the owner of the site to see if they'd be interested in me fixing it. I suspect that s...
If I were to create a site where users could put arbitrary html into their 'profile' or something similar, how might I prevent JavaScript embedded in that html from running? Could I put an infinite loop for(;;); somewhere? If so, where would I put it? What other security concerns are associated with this approach? ...
I keep reading that an ASP.NET based web site should have custom errors enabled in the web.config because exceptions will show a stack trace. I may have a faulty memory (currently don't have access to an ASP.NET website under development), but I thought as long as Compilation debug="false" in the web.config file, then the stack trace wi...
I have an application running in IIS which connects to a SQL Server 2008 R2 instance using windows integrated authentication. This application does simple read/write operations in the db using a set of stored procedures. I can restrict the privileges in SQL server quite well for this login/user combination. But for a small subset of the...
I use cookies to manage user sessions in my Rails app. I recently found that when a user changes the password, the cookie does not get invalidated as expected. As you realize, this could be a great threat to security. How should I handle this problem? I want to expire or invalidate a cookie once the user changes the password. How do I do...
I would like to use eWay (http://eway.com.au) as payment gateway but the problem is it doesn't allow much customization on their hosted page. I would like to display products client would be paying for but that is not possible so I thought maybe just whack hosted page into Iframe. But then again, I'm expecting security issues with it, a...