Search Results

Search found 97980 results on 3920 pages for 'code security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 312/3920 | < Previous Page | 308 309 310 311 312 313 314 315 316 317 318 319  | Next Page >

  • What's the best, Escape then store Or store then escape the output?

    - by Axel
    Hi, After doing a long search on stackoverflow i didn't find any one talked about this even if it's a big choice, the Question is what's the best in order to prevent both of XSS and SQL injection, Escaping the data then store it in the DB or Store it as it is and escape when output it? Note: it is better if you give some examples of practics if possible. Thanks

    Read the article

  • Correct way to safely store token/secret/etc from OAuth?

    - by viatropos
    I just started looking into OAuth and it looks really nice. I have oauth with twitter working in ruby right now. Now I'm wondering, what is the recommended safe way to store the responses in my local database and session? What should I store? Where should I store it? This example twitter-oauth-with-rails app stores a user.id in the session, and the user table has the token and secret. But that seems like it'd be really easy to hack and get the secret by just passing in a slew of test user ids, no?

    Read the article

  • Documents/links on preventing HTML form fiddling?

    - by larryq
    Hi everyone, I'm using ASP.Net but my question is a little more general than that. I'm interested in reading about strategies to prevent users from fooling with their HTML form values and links in an attempt to update records that don't belong to them. For instance, if my application dealt with used cars and had links to add/remove inventory, which included as part of the URL the userid, what can I do to intercept attempts to munge the link and put someone else's ID in there? In this limited instance I can always run a check at the server to ensure that userid XYZ actually has rights to car ABC, but I was curious what other strategies are out there to keep the clever at bay. (Doing a checksum of the page, perhaps? Not sure.) Thanks for your input.

    Read the article

  • Should I Use Anchor, Button Or Form Submit For "Follow" Feature In Rails

    - by James
    I am developing an application in Rails 3 using a nosql database. I am trying to add a "Follow" feature similar to twitter or github. In terms of markup, I have determined that there are three ways to do this. 1) Use a regular anchor. (Github Uses This Method) <a href="/users/follow?target=Joe">Follow</a> 2) Use a button. (Twitter Uses This Method) <button href="/friendships/create/">Follow</button> 3) Use a form with a submit button. (Has some advantages for me, but I haven't see anyone do it yet.) <form method="post" id="connection_new" class="connection_new" action="/users/follow"> <input type="hidden" value="60d7b563355243796dd8496e17d36329" name="target" id="target"> <input type="submit" value="Follow" name="commit" id="connection_submit"> </form> Since I want to store the user_id in the database and not the username, options 1 and 2 will force me to do a database query to get the actual user_id, whereas option 3 will allow me to store the user_id in a hidden form field so that I don't have to do any database lookups. I can just get the id from the params hash on form submission. I have successfully got each of these methods working, but I would like to know what is the best way to do this. Which way is more semantic, secure, better for spiders, etc...? Is there a reason both twitter and github don't use forms to do this? Any guidance would be appreciated. I am leaning towards using the form method since then I don't have to query the db to get the id of the user, but I am worried that there must be a reason the big guys are just using anchors or buttons for this. I am a newb so go easy on me if I am totally missing something. Thanks!

    Read the article

  • require_owner code to limit controller actions not recognizing current user as owner

    - by bgadoci
    I am trying to restrict access to certain actions using a before_filter which seems easy enough. Somehow the ApplicationController is not recognizing that the current_user is the owner of the user edit action. When I take the filter off the controller correctly routes the current_user to their edit view information. Here is the code. Link to call edit action from user controller (views/questions/index.html.erb): <%= link_to "Edit Profile", edit_user_path(:current) %> ApplicationController (I am only posting the code that I think is affecting this but can post the whole thing if needed). class ApplicationController < ActionController::Base def require_owner obj = instance_variable_get("@#{controller_name.singularize.camelize.underscore}") # LineItem becomes @line_item return true if current_user_is_owner?(obj) render_error_message("You must be the #{controller_name.singularize.camelize} owner to access this page", root_url) return false end end and the before_filter class UsersController < ApplicationController before_filter :require_owner, :only => [:edit, :update, :destroy] #... end I simply get the rendering of the error message from the ApplicationController#require_owner action.

    Read the article

  • Code in Global.asax prevents webpage from loading

    - by pete the pagan-gerbil
    I've made a static class to hold a number of configuration values (and also swap these values out in unit tests). If I initialise it in the Global.asax, the code runs correctly but the page doesn't load at all, and trying to navigate to a specific page fails. I can't initialise the values in a constructor or inline on the field declarations, because I need to be able to swap the values out in unit tests before the web.config is interrogated. Basically, putting the one line "ConfigClass.SetValues()" in the Global.asax prevents the app from loading correctly (although, as I say, it runs the code fine) and removing it again makes the app load properly - but without the class values initialised. As an aside, I'm sure I had this working correctly and being initialised in the Global.asax yesterday. I'm positive I didn't take any action to change or break it... Does anyone have advice on how I might track down what's going on here? Was I mistaken that it worked before (always possible) and that I need to go back and redesign something?

    Read the article

  • how to speed up the code??

    - by kaushik
    in my program i have a method which requires about 4 files to be open each time it is called,as i require to take some data.all this data from the file i have been storing in list for manupalation. I approximatily need to call this method about 10,000 times.which is making my program very slow? any method for handling this files in a better ways and is storing the whole data in list time consuming what is better alternatives for list? I can give some code,but my previous question was closed as that only confused everyone as it is a part of big program and need to be explained completely to understand,so i am not giving any code,please suggest ways thinking this as a general question... thanks in advance

    Read the article

  • Self-signed ceritificates for many users/browsers/sites

    - by Demiurg
    Here is my problem - I have a lot of users using different browsers accessing many internal web sites using https. I can create my own Certificate Authority, than create a certificate for each server and after that have all the users import it. Obviously, it cannot work in reality - there are too many users and too many sites, and some sites will be added in the future. I'm looking for a way to automate this. Is there a way to create a certificate so that all major browsers (IE, FF, Opera, Chrome and Safari) would trust it for all servers ? If so, what is the best way to install it automatically in all major browsers ?

    Read the article

  • CSRF protecting and cross site form access

    - by fl00r
    Hi. I aw working on cross site authentication (some domains have got common authentication). So I want to send authentication data (login, password) to main domain from others. How should I use protect_from_forgery and how can I check if data received from valid domain? What I am thinking now is to turn off protect_from_forgery for session controller and check domain name of received data. But maybe I can configure CSRF protection for not only one domain?

    Read the article

  • Python 2.6 and 3.1.1, earlier version compatibility

    - by Todd
    I ordered three books to start teaching myself Python - a beginning programming book, a computer science book that uses Python for all of its code references, and a book on Python network programming. Unfortunately, I was a little too quick on ordering them, because I hadn't noticed the version differences. The beginner book is for python 3.1, the CS book is Python 2.3, and the last is Python 2.6. The CS book is also oriented towards beginners. My question is, will the different versions be too different at this level for me to effectively use all three, or will I likely be able to get by learning from the 3.1 beginners book and then sort of teach myself from the 2.3 CS book, and be able to comprehend 2.6 code? That probably didn't make sense. I hope it did.

    Read the article

  • Can this be improved? Scrubing of dangerous html tags.

    - by chobo2
    I been finding that for something that I consider pretty import there is very little information or libraries on how to deal with this problem. I found this while searching. I really don't know all the million ways that a hacker could try to insert the dangerous tags. I have a rich html editor so I need to keep non dangerous tags but strip out bad ones. So is this script missing anything? It uses html agility pack. public string ScrubHTML(string html) { HtmlDocument doc = new HtmlDocument(); doc.LoadHtml(html); //Remove potentially harmful elements HtmlNodeCollection nc = doc.DocumentNode.SelectNodes("//script|//link|//iframe|//frameset|//frame|//applet|//object|//embed"); if (nc != null) { foreach (HtmlNode node in nc) { node.ParentNode.RemoveChild(node, false); } } //remove hrefs to java/j/vbscript URLs nc = doc.DocumentNode.SelectNodes("//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'javascript')]|//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'jscript')]|//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'vbscript')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.SetAttributeValue("href", "#"); } } //remove img with refs to java/j/vbscript URLs nc = doc.DocumentNode.SelectNodes("//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'javascript')]|//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'jscript')]|//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'vbscript')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.SetAttributeValue("src", "#"); } } //remove on<Event> handlers from all tags nc = doc.DocumentNode.SelectNodes("//*[@onclick or @onmouseover or @onfocus or @onblur or @onmouseout or @ondoubleclick or @onload or @onunload]"); if (nc != null) { foreach (HtmlNode node in nc) { node.Attributes.Remove("onFocus"); node.Attributes.Remove("onBlur"); node.Attributes.Remove("onClick"); node.Attributes.Remove("onMouseOver"); node.Attributes.Remove("onMouseOut"); node.Attributes.Remove("onDoubleClick"); node.Attributes.Remove("onLoad"); node.Attributes.Remove("onUnload"); } } // remove any style attributes that contain the word expression (IE evaluates this as script) nc = doc.DocumentNode.SelectNodes("//*[contains(translate(@style, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'expression')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.Attributes.Remove("stYle"); } } return doc.DocumentNode.WriteTo(); }

    Read the article

  • Resuming execution of code after exception is thrown and caught

    - by dotnetdev
    Hi, How is it possible to resume code execution after an exception is thrown? For exampel, take the following code: namespace ConsoleApplication1 { class Test { public void s() { throw new NotSupportedException(); string @class = "" ; Console.WriteLine(@class); Console.ReadLine(); } } class Program { static void Main(string[] args) { try { new Test().s(); } catch (ArgumentException x) { } catch (Exception ex) { } } } } After catching the exception when stepping through, the program will stop running. How can I still carry on execution? Thanks

    Read the article

  • Too much data for RSA block fail. What is PKCS#7?

    - by Tom Brito
    Talking about javax.crypto.Cipher; I was trying to encrypt data using Cipher.getInstance("RSA/None/NoPadding", "BC"); but I got the exception: ArrayIndexOutOfBoundsException: too much data for RSA block Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here. I found at google something about "RSA/CBC/PKCS#7", what is this "PKCS#7"? And why its not listed on sun's standard algorithm names?

    Read the article

  • mysqli_stmt_bind_param SQL Injection

    - by profitphp
    Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param? For example: $malicious_input = 'bob"; drop table users'; mysqli_stmt_bind_param($stmt, 's', $malicious_input); Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql: SET @username = "bob"; drop table users"; Or does it perform the SET command through the API, or use some type of protection to keep this from happening?

    Read the article

  • Use Apache authentication in Django without popup

    - by chernevik
    I am using Apache to authenticate users for Django, but I would like to do so without the popup form that Apache uses in its basic configuration. How do I embed the login form within a page while still using Apache for authentication? That is, I'd like a page that says "Please login" and provides a form asking for username and password, and passes this information on to Apache for authentication. (I'd do this over an SSL connection, of course.)

    Read the article

  • Best evidence to offer a sandboxed appdomain for a C# evaluator.

    - by scope-creep
    I have a c# evaluator which uses the (I think) the .Net 4 new simplified sandboxed appdomain model to host the c# assembly, with remoting doing the rest. The call to create the appdomain is Evidence ev = new Evidence(); ev.AddHostEvidence(new Zone(SecurityZone.Trusted)); PermissionSet pset = SecurityManager.GetStandardSandbox(ev); AppDomainSetup ads = new AppDomainSetup(); ads.ApplicationBase = "C:\\Sandbox"; // Create the sandboxed domain. AppDomain sandbox = AppDomain.CreateDomain( "Sandboxed Domain", ev, ads, pset, null); The c# eval is embedded in a server app, but I don't want give the sandbox to much control unless it bo bo's the caller. What i'm looking for is regarding some clarification as to what to provide as Evidence from the caller. I'm looking for advice and guidance. Any help would be appreciated.

    Read the article

  • How to Run NUnit Tests from C# Code

    - by Dror Helper
    I'm trying to write a simple method that receives a file and runs it using NUnit. The code I managed to build using NUnit's source does not work: if(openFileDialog1.ShowDialog() != DialogResult.OK) { return; } var builder = new TestSuiteBuilder(); var testPackage = new TestPackage(openFileDialog1.FileName); var directoryName = Path.GetDirectoryName(openFileDialog1.FileName); testPackage.BasePath = directoryName; var suite = builder.Build(testPackage); TestResult result = suite.Run(new NullListener(), TestFilter.Empty); The problem is that I keep getting an exception thrown by builder.Build stating that the assembly was not found. What am I missing? Is there some other way to run the test from the code (without using Process.Start)?

    Read the article

  • Is DB logging more secure than file logging for my PHP web app?

    - by iama
    I would like to log errors/informational and warning messages from within my web application to a log. I was initially thinking of logging all of these onto a text file. However, my PHP web app will need write access to the log files and the folder housing this log file may also need write access if log file rotation is desired which my web app currently does not have. The alternative is for me to log the messages to the MySQL database since my web app is already using the MySQL database for all its data storage needs. However, this got me thinking that going with the MySQL option is much better than the file option since I already have a configuration file with the database access information protected using file system permissions. If I now go with the log file option I need to tinker the file and folder access permissions and this will only make my application less secure and defeats the whole purpose of logging. Is this correct? I am using XAMPP for development and am a newbie to LAMP. Please let me know your recommendations for logging. Thanks.

    Read the article

  • Where is the probem in this code (javascript)?

    - by user318068
    Hi I have a problem in my code. can anybody help me ... <html> <body> <script type="text/javascript"> <?php $conn = mysql_connect("localhost","root"); mysql_select_db("tr", $conn); $q = mysql_query("SELECT message FROM messages WHERE to_viewed = '0' "); if (mysql_num_rows($q)) { require('pm.php'); ?> var answer = confirm("you have new message "); <?php } ?> if (answer) { window.location = "http:>>>/"; } else { } //--> </script> </body> </html> Thanks .... The error that appears in my code is that the confirm is not working if I open my page (no output)

    Read the article

  • The difference between the 'Local System' account and the 'Network Service' account?

    - by jmatthias
    I have written a Windows service that spawns a separate process. This process creates a COM object. If the service runs under the 'Local System' account everything works fine, but if the service runs under the 'Network Service' account, the external process starts up but it fails to create the COM object. The error returned from the COM object creation is not a standard COM error (I think it's specific to the COM object being created). So, how do I determine how the two accounts, 'Local System' and 'Network Service' differ? These built-in accounts seem very mysterious and nobody seems to know much about them.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 308 309 310 311 312 313 314 315 316 317 318 319  | Next Page >