This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments? Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not availabl...
I need to check programmatically (in .NET) whether a given user (domain account) is a member of the built-in Administrators group on a current computer (the one where the application gets executed). Is it possible? ...
I am not concerned about other kinds of attacks. Just want to know whether HTML Encode can prevent all kinds of XSS attacks. Is there some way to do an XSS attack even if HTML Encode is used? ...
I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cookies here. Must I use adsutil, or will setting requireSSL in the httpCookies section of web.config cover session cookies in addition to all others (covered here)? ...
I am developing a web app which requires a username and password to be stored in the web.Config, it also refers to some URLs which will be requested by the web app itself and never the client. I know the .Net framework will not allow a web.config file to be served, however I still think its bad practice to leave this sort of information...
There are lots of PHP articles about the subject so is this a PHP only problem. I am sending emails using System.Net.Mail after some regular expression checks of course. Similar to http://weblogs.asp.net/scottgu/archive/2005/12/10/432854.aspx ...
Supposing you have a form that collects and submits sensitive information and you want to ensure it is never accessed via insecure (non-HTTPS) means, how might you best go about enforcing that policy? ...
I looking for a way, specifically in PHP that I will be guaranteed to always get a unique key. I have done the following: strtolower(substr(crypt(time()), 0, 7)); But I have found that once in a while I end up with a duplicate key (rarely, but often enough). I have also thought of doing: strtolower(substr(crypt(uniqid(rand(), true)...
I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it? ...
I need to generate some passwords, I want to avoid characters that can be confused for each other. Is there a definitive list of characters I should avoid? my current list is il10o8B3Evu![]{} Are there any other pairs of characters that are easy to confuse? for special characters I was going to limit myself to those under the number ke...
I've only recently started working with asp.net and c#. Is there a standard practice set of web.config settings for a live final website? There seem to be a ton of options available and I'm looking to streamline performance, close possible security holes and other unecessary options. ...
I'm going to be implementing a PHP/mySQL setup to store credit card information. It seems like AES_ENCRYPT/AES_DECRYPT is the way to go, but I'm still confused on one point: how do I keep the encryption key secure? Hardwiring it into my PHP scripts (which will live on the same server as the db) seems like a major security hole. What's th...
We're in the process of setting up a new framework and way of doing business for our new internal apps. Our current design dictates that all security logic should be handled by our database, and all information (and I mean all) will be going in and out of the database via stored procedures. The theory is, the data access layer requests ...
I get the following error message in SQL Server 2005: User '<username>' does not have permission to run DBCC DBREINDEX for object '<table>'. Which minimum role do I have to give to user in order to run the command? ...
Are asymmetrical cryptographic keys fundamentally inter-convertible between the major key container formats? For example, can I convert an X.509 key file into a PGP or OpenGPG key file? And--assuming the answer is yes--is it "security neutral" to keep one key pair in whatever format and convert into whichever container file format is n...
Best practices recommend not installing Sql Server to run as SYSTEM. What is the bare minumum you need to give the user account you create for it? ...
I was messing around with RhinoMocks this morning and couldn't run my tests because RhinoMocks.dll was not in a "trusted location". The assembly is in my c:\documents and settings\\My Documents\Visual Studio 2008\Projects (and so on) folder. What's the deal? ...
Hi A database that stores a lot of credit card information is an inevitable part of the system we have just completed. What I want though is ultimate security of the card numbers whereby we setup a mechanism to encrypt and decrypt but of ourselves cannot decrypt any given number. What I am after is a way to secure this information eve...
I'm thinking about purchasing DnGuard, a .Net Protection tool. Judging the cracking community it seems to be on of the stronger solutions. Link: DnGuard Here are my personal pros and cons so far: cons: very expensive (at least for me). The professional version I'm interested in costs $1,299 at the moment. Their Site is often slow a...
Erasing programs such as Eraser recommend overwriting data maybe 36 times. As I understand it all data is stored on a hard drive as 1s or 0s. If an overwrite of random 1s and 0s is carried out once over the whole file then why isn't that enough to remove all traces of the original file? ...