Why is not secure allow to access to resources with URIs like "http://example.com/badcode.txt"? What means non-file-based? i'm reading this PHP security check list: http://www.sk89q.com/2009/08/definitive-php-security-checklist/ thx ^_^ ...
When I add a Service Reference in Visual Studio to a service, it keeps adding this extendedProtectionPolicy to my Security Bindings, which on my Win7 machine it works fine. But when I deploy to Server 2003 it errors out saying unrecognized element in configuration file. Removing the line <extendedProtectionPolicy policyEnforcement="Neve...
I'm using php for my site and was wondeirng if it would be a good idea to use the $_SERVER md5($_SERVER['remote_addr'] + $_SERVER['http_user_agent'])) into a cookie_auth field in the user table. When the user logs in, php will use the above key to re-check the current user and compare it to the stored key and if matched get credintial...
Do any browsers follow cross-domain 301 redirects when processing XmlHTTPRequests (or any other method a page can get the contents of another) ...
Bear with me, I have been only learning PHP for only a few weeks, so example code may confuse me. I think I finally understand salting! It's to protect passwords inside database, if breached. What I don't understand is, why would a hacker have to crack hashes if they are trying to figure out a user's password (assuming that's their goal...
Hey guys quick question, I want to filter my output to make it safer from Cross site scripting (XSS) attacks so I am filtering output with htmlentities. The problem is, I am trying to make my application utf8 compatible so when I enter something like ಠ_ಠ I would like it to be maintained when retrieved from the database. Is there a simpl...
I am creating a web application that I hope to release to the public for downloading and installing on anyone's own web server, however I just was informed that some webhosts disable the use of fopen in php due to "security issues", particularly on shared hosts. I use fopen during the installation process of the application, should I be ...
As you know there's some php functions to be disabled on shared hosting environments. Searching the Google, I found many lists of these functions. one of these functions is curl_exec, I can't understand why this function should be disabled? How this function could be vulnerable? ...
A customer wants their product to require users to enter a machine-specific code, so that they can only run it on one machine... if they want to use it elsewhere they get a deactivation code from the first machine and send that back to prove this. If the app could talk to their server this could be made much smoother but this is not the...
I've been working on an application that will allow for third-party extensions to be built to expand the application's functionality. All this in PHP, of course. I wanted to add a bit of security padding by running files in a certain directory through a checksum function. If the file doesn't pass the checksum, the file isn't "included", ...
Hi, I am wondering if it is possible to generate a "key" that is valid for a period of (approximately) three months? For example, let's say (hypothetically) that I generate a key like this (pseudocode): Key = HASH ( MachineID, Salt ); And the way I verify a key is valid is to check like this: isValid(Key) { return Key == HASH ( ...
I have a php page in which I have the following code to validate the user using HTTP authentication, this code works fine for http:// url's but when I use the same page with https:// then it didn't ask for username and password. //authentication settings define('USERNAME', 'prashant'); define('PASSWORD', 'password'); //Validating if (!...
Hi, apologies if I make any cardinal errors in question asking, this is my first post. Building a simple app in php where the user has permissions to a number of different sets of data which are held in a db with corresponding id's. Currently I have the user switching the set of data they are viewing by choosing a set from a dropdown. ...
I've got some code which pinvokes native win32. Since I upgraded to .NET 4, the code started throwing a MethodAccessException saying: Attempt by security transparent method 'Tek.Audio.Midi.MidiDevice.GetDevices()' to call native code through method 'Tek.Native.Windows.Multimedia.midiInGetNumDevs()' failed. Methods must be security crit...
My current script uses this simple command: mail -s "$my_msg" username\@mycompany.com </dev/null When changing it to use a mailing list rather than the hardcoded username: mail -s "$my_msg" mailing_list_1\@groups.mycompany.com </dev/null It produces: 550 Unrouteable address I need to be able to authenticate to the server over...
I use HTTPS, but want to minimize the risk of someone evil crafting their own cookies with a session ID that someone else actually uses recently. As a session variable I have an expiry time so the session is invalidated if it hasn't been used recently, so I figure the window of opportunity is when the victim is active or recently left...
We are building a highly sensitive system, you can think of it as a banking system, where you have a client with a certificate that calls a WCF service to send a transaction to the server. staying in the example of the banking system, that transaction can be a wire order or a debit. So for audit and in case of litigation by the client ...
I write PSQL script and using variables (for psql --variable key=value commandline syntax). This works perfectly for top level scope like select * from :key, but I create functions with the script and need variable value inside them. So, the syntax like create function foo() returns void as $$ declare begin grant select on my_tabl...
This will be a bit difficult to explain but I will try my best. There is a website that has the login form on every page with username/password fields. These pages are not using SSL. After the user fills in the username/password and submits the form, the form is sent to an authentication page which is https. I have a few questions about...
Do you have some hint, a reference, an example of how to integrate Oracle SOA Suite 11g (BPMN or BPEL) security with the ADF TaskFlow's security of the human tasks??? ...