I have a login service to my current website and what I was wondering is - is there any particular method you could call the MOST Secure? Allow me to explain my system a little better: I currently have a PHP MySQL database with a users table. The username and password are both stored as VARCHAR (not the best for passwords I know). On ...
I'm creating an application that encrypts data with a key that is created each time the user logs into the app. However, there are times when data will be received via a BroadcastReceiver that needs encrypting, but the user is not logged in and so the encryption key is not available. Security is pretty important and so using a key stored...
In a similar vein to my previous question - I'm not a very experienced PHP Programmer. I know nothing about Sessions or Security (other that what I learnt an hour ago about md5 and sha1 with salt). I have a login system, and I wish to create a session that stores and encrypted string of a user's username mixed with a timestamp. I know ...
I am working on implementing a JavaScript web bug that will be inserted into our client's web pages. One of the features our clients would like, is a way to pass pieces of the HTML on their web pages to our server through the web bug. We are using JSONP and the server that is hosting the JavaScript web bug is different than the server ho...
My question stems from an earlier client proxy that svcutil generated for me based on a server configuration. I use a server side certificate credential using a Sql Memebership provider to authenticate the user. For the bindings I simply used <behavior name="MembershipBehaviour"> <serviceMetadata httpsGetEnabled="true" /> ...
How can I use an entry from the systems authorized_keys file for a java.security.PublicKey implementation? I specifically want to compare a public key from the authorized_keys file with a public key available in the Apache SSHD PublickeyAuthenticator interface. ...
Before I begin, my reason for not using OAuth is I believe it is not really something we should be using on this project, we're targeting a platform that will be packaged and resold to companies, which connect to their own set of uses that we really don't want to have accounts that we are not %100 in control of, we don't want it to be a ...
Hi, is there anyway I could create a function that receives and username and the function returns if the user is currently logged in into the application? ...
When users create an account in my web application, I generate a GUID and use the first 8 characters as their password which is then sent via email. Is there a security risk I am overlooking in using GUIDs as passwords? I've taken a look at the questionAre GUIDs good passwords?, but that question pertains to personal passwords not rando...
We have some code that removes "dangerous" attributes and tags from HTML. I noticed that style is among the list of "dangerous" attributes. What could be the risk from that attribute? ...
Possible Duplicate: XKCD SQL injection - please explain What is the general concept behind sql injection ? Being a rails developer This is unsafe Booking.find(:all, :conditions => [ 'bookings.user_id = #{params[user_id]]}'] ) and this is safe:-- Booking.find(:all, :conditions => [ 'bookings.user_id = ?', params[user_i...
Wikipedia provides information about one of the most common scenarios for exploiting a reflected cross site scripting attack - using some degree of social engineering to induce unsuspecting users to click a malicious link: Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with ...
I have a server which is online right now, but requires authentication when accessing, so it is basically closed to everyone but me. Thing is, I don't want to "Open" the website to the public, but I need to test my website on different browsers. One way is to do it from websites like browsershots.org, which requires access to my websit...
I'm kinda new in the mobile world and wcf world. I have develop a mobile app that communicates with a WCF service. What security topics should I look into? I do not know much about security either ... usually you try to secure the channel? the messages being sent? ...
If I do a sudo netstat -tup | awk '{print $5}' | sort | uniq -c | sort -n I can get a list and count of how many connections I have to each host. But how can I tell how many times I've been connecting to that host ever minute/hour/day? Is there a TCP log somewhere that I can grep through to see how and when I'm connecting to what? I...
I have a text area for user to input something, and I will pass the text as a parameter to server, is there any way / api to ensure the user's text must be valid, even they are not valid, should be treat it as a normal string? (Escaping API?) Thank you. ...
Hi Everyone, I have a great concern in deploying the TinyMCE editor on a website. Looking at the code parsed by the editor it does a great job, and I leave the HTML button off the toolbar configuration so users can not inject their own source. However, from what I read in the TinyMCE docs, it claims to degrade nicely to a regular texta...
I have setup two different PHP systems this summer. Each uses two different methods: Method #1: One PHP File Per Task This method requires that a PHP file be created for each major task. For example, my upload script would be access via http://www.domain.com/upload.php. On upload.php, a "controller" and a "view" class are instantiated ...
On my website I have a variable called $user_data that contains input from a form. I then show this variable on the user page (via echo). What is the best method to avoid any security risks with this variable? I use strip_tags(), but it is not enough. This variable also gets saved to a MySQL database. ...
Made a small contact form on php, it gets $_POST variables and mails to me. <form action="/myscript.php" method="post"> Small piece of code: $subject = trim($_POST['subject']); $comment = trim($_POST['comment']); mail($email, $subject, $comment, $headers); $email is mine mail address, $headers are usual. There is no filtration for...