I am always reading that you should always store your database credentials outside of your document root because normally you would have them set to db.inc or something similar. I can understand this and naturally it makes perfect sense. What I don't understand is why you are making the file into one that you either need to set apache ...
I'm a (near complete) beginner, and this is my first foray into encryption - in fact this is probably the first time I use the word. Here is my question: For a non banking / military, or even commercial, web app, what is the right way to choose a salt for a hash function used for passwords? I can easily generate a pseudo random salt f...
What is more secure? VNC or Citrix or HTTPS So they all have the same amount of security. Don't they use the same encryption algorithms in they end? ...
We want to build into our software the capability to build SQL queries freehand (currently cannot do so with our software), but need to be able to lock it down so that users cannot make any changes, only select data from certain tables. Are there any good guides for helping me to lock this down appropriately (ie, least permissions neede...
Hi Can anyone tell me so short what are attack kinds on a website?! I'm using Asp.net and SQL server 2005. And can you give me a reference about each of them please?! ...
I'm a bit behind the times when it comes to website security. I know the basics - validate all incoming data, escape data being saved to the db, use a salt for passwords, etc. But I feel like there's a lot I'm missing that can bite me in the butt. This is especially true with my slow migration to .NET. I'm just not sure how to replic...
What are security issues in asp.net mvc?! and does MVC solved XSS and the others?! ...
I just wanted to run this by other heads to make sure I wasn't missing something obvious. I am using Payflow Link, which handles all the credit card nastiness of ecommerce transactions. However, you pass the total amount of the transaction to PayPal over POST variables - which seems like a potential security hole: A malicious user coul...
Hello All. I have been working on a project which uses Grails with Hibernate... Now the project is up and running very well now, but the thing that I need to integrate is the most important part of project i.e. Security. So, for security I have found out some of the plugins that are available with grails like ACEGI (i think it's Sprin...
I have to write a Windows service that handles at some point confidential data (such as PIN codes, passwords, and so on). Those informations are needed for a very short amount of time: usually they are sent almost immediately to a smart card reader. Lets consider this piece of code: { std::string password = getPassword(); // Get the ...
I currently use custom error codes when something goes wrong with my Jquery Ajax calls. Does this new security issue mean I have to stop using this method for passing information back to my app. http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx Is it still possible to pass decent error mes...
Possible Duplicate: Where can I find a web-project security checklist? i was just wondering when creating an php/mysql app, whats the main security issues a developer is got to consider, i know this could be a major broad topic, but i just wanted an overview of where to look, and while im wrting and devloping the app, what i n...
Hi, I am using .htaccess RewriteRule on a website I'm working on. Here is a sample of my .htaccess RewriteEngine on RewriteRule ^about.htm$ /index.php?load=about&output=html [NC] I would like to know if there is a way in my index.php file to detect if the page have been called via a Rewrite or the user reached it directly. I'm tryin...
I am sourcing some info from the OWASP (open application security community) web site (http://owasp.org) and came across some info in their Authentication section. CAPTCHA (Completely automated Turing Tests To Tell Humans and Computers Apart) are illegal in any jurisdiction that prohibits discrimination against disabled citiz...
I have the following on my web.config <location path = "WebPages/Reports"> <system.web> <authorization> <deny roles="DeniedRole1, DeniedRole2"/> <allow roles="AllowRole1,AllowRole2,AllowRole3"/> </authorization> </system.web> </location> <location path = "WebPages/Reports/SpecificPage.aspx...
Spring Security for us uses an email as the username and a password. To log someone in through code I call: securityContext.setAuthentication(objectWithUsername); How do I then allow facebook connect users to login who don't have an email or password with us? I can't call the above method because it requires a username. ...
I am in the process of choosing project for uni. And I am really interested on combining genetic algorithms and computer security. Therefore my question, Is it possible to use GA on any aspect for computer security? For example?. I was thinking something like a evolutionary firewall/anti-virus that will be able to self protect/inhibit t...
It seems most people advice going with some sort of hardware solution in load balancers for DOS attacks. I notice if you try to do a curl on any major/semi-major website you get a 301. For someone with a modest budget, what's the best way to protect against DOS attacks in rails, if there is no solid solution, what's the 2nd best thing s...
Greetings all: I currently am building a web application, and have been debating whether to go with a conventional database login system, or going with an openid based login system as we have on stackoverflow and family. What my question is when would an application designer would choose an openid system over the more conventional login...
So I was on this mission to create a moderately flexible, but most importantly, re-usable handler PHP script for image uploading projects. As I cruised along I ran into a PHP memory limit question that I posted on stackoverflow (can be found here: http://stackoverflow.com/questions/3792058/php-memory-limit) and the awesome and helpful a...