Maybe I am being a bit paranoid, but as I am re-writing a contact module, the following question came to mind: Can I use unfiltered input in php's native functions? It is easy to sanitize stuff to put in a database, output to the screen, etc. but I was wondering if for example the following statement could be dangerous: if (file_e...
I need a query to display information about the users, roles and privileges within an SQLServer 2000 and SQLServer 2005 database? ...
I receive an "Access Deined" COMException when I try to connect to a remote IIS 6 server from my C# application that is running under IIS 5.1. Any ideas? I am experiencing all the same issues with the original questions. Update - 4/1/09 I found this solution (http://www.codeproject.com/KB/cs/Start_Stop_IIS_Website.aspx) that consists...
I'm using Noscript and found out that it has a function to force sites to use a secure connection, I tried forcing a few sites but when I try going to any of them I get a blank tab and my status bar acts like it's constantly reloading. I had a Greasemonkey script that forced secure connection before I found the Noscript option but the Gr...
The applet is in a signed JAR. Last line in console reads: security: Checking if certificate is in Deployment permanent certificate store CPU and memory usage are normal. Other page elements still respond. It's just that the applet is not displayed. There is another applet in the same page but it works. Any ideas? Thread dump fo...
I have a public-facing website that is used to manage business infrastructure equipment for my clients. A security breach on this website could cause expensive problems for clients. A number of different websites--mostly banks, health care, and government--disable the "save password" dialog from appearing in Firefox, IE, and other brows...
Is it necessary to filter/escape unsafe variables in <title> or other tags in <head> to prevent XSS? ...
Hi where can i find a good resource about assert policies in WSE3 ? ...
An extremely secure ASP.NET application is having to be written at my work and instead of trawling through the Internet looking for best practices I was wondering as to what considerations and generally what things should be done to ensure a public web application is safe. Of course we've taken into consideration user/pass combinations ...
My ASP.NET website has a global error handler that sends an email to me (and another developer) when there is any kind of error in the web app. We recently received an error which contained a CC to an email address that we'd never heard of. The scary thing is that the list of developers that the error email is sent to is hard coded in ...
My company is in the process of taking over a members only website from a 3rd party. We have re-written the website and the last step is to import the existing users. We have the database with users and their passwords. We also were given the 'key' and were told that the password field is encrypted with AES encryption. I need to decr...
I've been struggling with a problem for a few hours now, and I would appreciate either some help in accomplishing my goal, or confirmation that what I'm trying to do is in fact impossible. I have a webapp that takes the selected text (document.getSelection()) as input, from an arbitrary webpage. While it would be possible to use a bookm...
i just installed wordpress (the latest) and im trying to study wordpress to make my creations secure like wordpress does or to its level. I noticed upon logging into wordpress, it created 3 cookies. what I'm trying to figure out is - after logging into wordpress and after it created the cookies for the user. the hash values that are i...
I have an application that has a backoffice. This backoffice was isolated with the use of roles like this: <location path="backoffice"> <system.web> <authorization> <allow roles="admin"/> <deny users="*"/> </authorization> </system.web> </location> But now we have another type of role that needs access. T...
I am a beginner in database field and this question might sound too stupid but I want to know why there is a login called sa and can I delete it? I want to delete it because it seems to have pretty serious privileges on database server! If it matters, I am using SQL Server Express 2008. ...
On our site, we provide to users a simulation based on their private information (given through a form). We would like to allow them to get back on their simulation results later, but without forcing them to create a login/password account. We have thought of sending them an email with a link, from which they could get back their resul...
I just added a reference to the CSS Friendly Control Adapters dll and added the following file (CSSFriendlyAdapters.browser) to my "App_Browsers" folder: <browsers> <browser refID="Default"> <controlAdapters> <adapter controlType="System.Web.UI.WebControls.TreeView" adapterType="CSSFriendly.TreeViewAdapter" />...
GUIDs get used a lot in creating session keys for web applications. I've always wondered about the safety of this practice. Since the GUID is generated based on information from the machine, and the time, along with a few other factors, how hard is it to guess of likely GUIDs that will come up in the future. Let's say you started 1000...
I am attempting to setup an Asp.net application on the same site as Sharepoint. So where http://sharepointurl is the url for sharepoint, to access the application the url would be http://sharepointurl/MyCustomWebApp/. I have setup an IIS application at this level but attempting to run the application with a custom dll in the bin result...
This question isn't about preventing a single user from registering multiple accounts. It is assuming that registering multiple accounts cannot be prevented, but what we want to avoid/detect is when the user is using the accounts to vote for himself. This would apply to sites like SO or digg, where a user creates a 2nd account solely fo...