Search Results

Search found 6690 results on 268 pages for 'worst practices'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 91/268 | < Previous Page | 87 88 89 90 91 92 93 94 95 96 97 98  | Next Page >

  • What are the weaknesses of this user authentication method?

    - by byronh
    I'm developing my own PHP framework. It seems all the security articles I have read use vastly different methods for user authentication than I do so I could use some help in finding security holes. Some information that might be useful before I start. I use mod_rewrite for my MVC url's. Passwords are sha1 and md5 encrypted with 24 character salt unique to each user. mysql_real_escape_string and/or variable typecasting on everything going in, and htmlspecialchars on everything coming out. Step-by step process: Top of every page: session_start(); session_regenerate_id(); If user logs in via login form, generate new random token to put in user's MySQL row. Hash is generated based on user's salt (from when they first registered) and the new token. Store the hash and plaintext username in session variables, and duplicate in cookies if 'Remember me' is checked. On every page, check for cookies. If cookies set, copy their values into session variables. Then compare $_SESSION['name'] and $_SESSION['hash'] against MySQL database. Destroy all cookies and session variables if they don't match so they have to log in again. If login is valid, some of the user's information from the MySQL database is stored in an array for easy access. So far, I've assumed that this array is clean so when limiting user access I refer to user.rank and deny access if it's below what's required for that page. I've tried to test all the common attacks like XSS and CSRF, but maybe I'm just not good enough at hacking my own site! My system seems way too simple for it to actually be secure (the security code is only 100 lines long). What am I missing? I've also spent alot of time searching for the vulnerabilities with mysql_real_escape string but I haven't found any information that is up-to-date (everything is from several years ago at least and has apparently been fixed). All I know is that the problem was something to do with encoding. If that problem still exists today, how can I avoid it? Any help will be much appreciated.

    Read the article

  • DRYing up Rails Views with Nested Resources

    - by viatropos
    What is your solution to the problem if you have a model that is both not-nested and nested, such as products: a "Product" can belong_to say an "Event", and a Product can also just be independent. This means I can have routes like this: map.resources :products # /products map.resources :events do |event| event.resources :products # /events/1/products end How do you handle that in your views properly? Note: this is for an admin panel. I want to be able to have a "Create Event" page, with a side panel for creating tickets (Product), forms, and checking who's rsvp'd. So you'd click on the "Event Tickets" side panel button, and it'd take you to /events/my-new-event/tickets. But there's also a root "Products" tab for the admin panel, which could list tickets and other random products. The 'tickets' and 'products' views look 90% the same, but the tickets will have some info about the event it belongs to. It seems like I'd have to have views like this: products/index.haml products/show.haml events/products/index.haml events/products/show.haml But that doesn't seem DRY. Or I could have conditionals checking to see if the product had an Event (@product.event.nil?), but then the views would be hard to understand. How do you deal with these situations? Thanks so much.

    Read the article

  • Extension Methods - IsNull and IsNotNull, good or bad use?

    - by Jaimal Chohan
    I like readability. So, I came up with an extension mothod a few minutes ago for the (x =! null) type syntax, called IsNotNull. Inversly, I also created a IsNull extension method, thus if(x == null) becomes if(x.IsNull()) and if(x != null) becomes if(x.IsNotNull()) However, I'm worried I might be abusing extension methods. Do you think that this is bad use of Extenion methods?

    Read the article

  • Counting down to zero in contrast to counting up to length - 1

    - by Helper Method
    Is it recommended to count in small loops (where possible) down from length - 1 to zero instead of counting up to length - 1? 1.) Counting down for (int i = a.length - 1; i >= 0; i--) { if (a[i] == key) return i; } 2.) Counting up for (int i = 0; i < a.length; i++) { if (a[i] == key) return i; } The first one is slightly faster that the second one (because comparing to zero is faster) but is a little more error-prone in my opinion. Besides, the first one could maybe not be optimized by future improvements of the JVM. Any ideas on that?

    Read the article

  • Overriding properties of child view controller vs setting them via parent view controller

    - by robinjam
    If you want to modify the default behaviour of a View Controller by changing the value of one of its properties, is it considered better form to instantiate the class and set its property directly, or subclass it and override the property? With the former it would become the parent View Controller's responsibility to configure its children, whereas with the latter the children would effectively configure themselves. EDIT: Some more information: The class I am referring to is FetchedTableViewController, a subclass of UITableViewController that I made to display the results of a Core Data fetch operation. There are two places I want to display the results of a fetch, and they each have different fetch requests. I'm trying to decide whether it's better to create a subclass for each one, and override the fetchRequest property, or make it the responsibility of the parent controller to set the fetchRequest property for its children.

    Read the article

  • Separation of interfaces and implementation

    - by bonefisher
    From assembly(or module) perspective, what do you think of separation of Interface (1.assembly) and its Implementation (2.assembly)? In this way we can use some IoC container to develop more decoupling desing.. Say we have an assembly 'A', which contains interfaces only. Then we have an assembly 'B' which references 'A' and implements those interfaces..It is dependent only on 'A'. In assembly 'C' then we can use the IoC container to create objects of 'A' using dependency injection of objects from 'B'. This way 'B' and 'C' are completely unaware (not dependent) of themselves..

    Read the article

  • Interface and base class mix, the right way to implement this

    - by Lerxst
    I have some user controls which I want to specify properties and methods for. They inherit from a base class, because they all have properties such as "Foo" and "Bar", and the reason I used a base class is so that I dont have to manually implement all of these properties in each derived class. However, I want to have a method that is only in the derived classes, not in the base class, as the base class doesn't know how to "do" the method, so I am thinking of using an interface for this. If i put it in the base class, I have to define some body to return a value (which would be invalid), and always make sure that the overriding method is not calling the base. method Is the right way to go about this to use both the base class and an interface to expose the method? It seems very round-about, but every way i think about doing it seems wrong... Let me know if the question is not clear, it's probably a dumb question but I want to do this right.

    Read the article

  • What is the proper way to code a read-while loop in Scala?

    - by ARKBAN
    What is the "proper" of writing the standard read-while loop in Scala? By proper I mean written in a Scala-like way as opposed to a Java-like way. Here is the code I have in Java: MessageDigest md = MessageDigest.getInstance( "MD5" ); InputStream input = new FileInputStream( "file" ); byte[] buffer = new byte[1024]; int readLen; while( ( readLen = input.read( buffer ) ) != -1 ) md.update( buffer, 0, readLen ); return md.digest(); Here is the code I have in Scala: val md = MessageDigest.getInstance( hashInfo.algorithm ) val input = new FileInputStream( "file" ) val buffer = new Array[ Byte ]( 1024 ) var readLen = 0 while( readLen != -1 ) { readLen = input.read( buffer ) if( readLen != -1 ) md.update( buffer, 0, readLen ) } md.digest The Scala code is correct and works, but feels very un-Scala-ish. For one it is a literal translation of the Java code, taking advantage of none of the advantages of Scala. Further it is actually longer than the Java code! I really feel like I'm missing something, but I can't figure out what. I'm fairly new to Scala, and so I'm asking the question to avoid falling into the pitfall of writing Java-style code in Scala. I'm more interested in the Scala way to solve this kind of problem than in any specific helper method that might be provided by the Scala API to hash a file. (I apologize in advance for my ad hoc Scala adjectives throughout this question.)

    Read the article

  • Use database field maxlength as html layout input maxlength best practice. asp.net mvc

    - by Andrew Florko
    Hello everybody, There are string length limitations in database structure (email is declared as nvarchar[30] for instance) There are lots of html forms that has input textbox fields that should be limited in length for that reason. What is the best practice to synchronize database fields and html layout input fields length limitations ? Can it be done automatically (html layout input fields declared the same max length as database data they represent)? Thank you in advance.

    Read the article

  • How to allow for modular development while still running in same JVM?

    - by Marcus
    Our current app runs in a single JVM. We are now splitting up the app into separate logical services where each service runs in its own JVM. The split is being done to allow a single service to be modified and deployed without impacting the entire system. This reduces the need to QA the entire system - just need to QA the interaction with the service being changed. For interservice communication we use a combination of REST, an MQ system bus, and database views. What I don't like about this: REST means we have to marshal data to/from XML DB views couple the systems together which defeats the whole concept of separate services MQ / system bus is added complexity There is inevitably some code duplication between services You have set up n JBoss server configurations, we have to do n number of deployments, n number of set up scripts, etc, etc. Is there a better way to structure an internal application to allow modular development and deployment while allowing the app to run in a single JVM (and achieving the associated benefits)?

    Read the article

  • Should java try blocks be scoped as tightly as possible?

    - by isme
    I've been told that there is some overhead in using the Java try-catch mechanism. So, while it is necessary to put methods that throw checked exception within a try block to handle the possible exception, it is good practice performance-wise to limit the size of the try block to contain only those operations that could throw exceptions. I'm not so sure that this is a sensible conclusion. Consider the two implementations below of a function that processes a specified text file. Even if it is true that the first one incurs some unnecessary overhead, I find it much easier to follow. It is less clear where exactly the exceptions come from just from looking at statements, but the comments clearly show which statements are responsible. The second one is much longer and complicated than the first. In particular, the nice line-reading idiom of the first has to be mangled to fit the readLine call into a try block. What is the best practice for handling exceptions in a funcion where multiple exceptions could be thrown in its definition? This one contains all the processing code within the try block: void processFile(File f) { try { // construction of FileReader can throw FileNotFoundException BufferedReader in = new BufferedReader(new FileReader(f)); // call of readLine can throw IOException String line; while ((line = in.readLine()) != null) { process(line); } } catch (FileNotFoundException ex) { handle(ex); } catch (IOException ex) { handle(ex); } } This one contains only the methods that throw exceptions within try blocks: void processFile(File f) { FileReader reader; try { reader = new FileReader(f); } catch (FileNotFoundException ex) { handle(ex); return; } BufferedReader in = new BufferedReader(reader); String line; while (true) { try { line = in.readLine(); } catch (IOException ex) { handle(ex); break; } if (line == null) { break; } process(line); } }

    Read the article

  • Static classes in PHP via abstract keyword?

    - by Boldewyn
    According to the PHP manual, a class like this: abstract class Example {} cannot be instantiated. If I need a class without instance, e.g. for a registry pattern: class Registry {} // and later: echo Registry::$someValue; would it be considered good style to simply declare the class as abstract? If not, what are the advantages of hiding the constructor as protected method compared to an abstract class? Rationale for asking: As far as I see it, it could a bit of feature abuse, since the manual refers to abstract classes more as like blueprints for later classes with instantiation possibility.

    Read the article

  • Should non-English member names be changed to English?

    - by M.A. Hanin
    Situation: Automatically generated memebers, such as MenuStrip items, have their (automatically generated) names based on the text entered when the item was created. My most common situation is creating a menu-strip and adding menu-items by entering their text (using the graphical designer). Since my GUI is in Hebrew, all these members have a name which contains a Hebrew string. Something like "(hebrew-text)ToolStripItem". When I create event handlers, the event handlers "inherit" the hebrew text: "(hebrew-text)ToolStripMenuItem_Click". This actually works well, IntelliSense has no problem with Hebrew text, and so does the compiler. The question is: should I change these names (or prevent them from being created in the first place)? What are the possible consequences of keeping those names?

    Read the article

  • Is str.replace(..).replace(..) ad nauseam a standard idiom in Python?

    - by meeselet
    For instance, say I wanted a function to escape a string for use in HTML (as in Django's escape filter): def escape(string): """ Returns the given string with ampersands, quotes and angle brackets encoded. """ return string.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace("'", '&#39;').replace('"', '&quot;') This works, but it gets ugly quickly and appears to have poor algorithmic performance (in this example, the string is repeatedly traversed 5 times). What would be better is something like this: def escape(string): """ Returns the given string with ampersands, quotes and angle brackets encoded. """ # Note that ampersands must be escaped first; the rest can be escaped in # any order. return replace_multi(string.replace('&', '&amp;'), {'<': '&lt;', '>': '&gt;', "'": '&#39;', '"': '&quot;'}) Does such a function exist, or is the standard Python idiom to use what I wrote before?

    Read the article

  • Reverse search in Hibernate Search

    - by Javi
    Hello, I'm using Hibernate Search (which uses Lucene) for searching some Data I have indexed in a directory. It works fine but I need to do a reverse search. By reverse search I mean that I have a list of queries stored in my database I need to check which one of these queries match with a Data object each time Data Object is created. I need it to alert the user when a Data Object matches with a Query he has created. So I need to index this single Data Object which has just been created and see which queries of my list has this object as a result. I've seen Lucene MemoryIndex Class to create an index in memory so I can do something like this example for every query in a list (though iterating in a Java list of queries would not be very efficient): //Iterating over my list<Query> MemoryIndex index = new MemoryIndex(); //Add all fields index.addField("myField", "myFieldData", analyzer); ... QueryParser parser = new QueryParser("myField", analyzer); float score = index.search(query); if (score > 0.0f) { System.out.println("it's a match"); } else { System.out.println("no match found"); } The problem here is that this Data Class has several Hibernate Search Annotations @Field,@IndexedEmbedded,... which indicated how fields should be indexed, so when I invoke index() method on the FullTextEntityManager instance it uses this information to index the object in the directory. Is there a similar way to index it in memory using this information? Is there a more efficient way of doing this reverse search? Thanks

    Read the article

  • How to solve the problem of not being informed of successful payments by the 3rd party system used b

    - by user68759
    I have a subscription based website that interacts with a 3rd party system to handle the payments. The steps to process a new subscriber registration are as follow: The subscriber enters his/her details in the subscription form and click on the submit button. Assuming the details specified are valid, a new record is created in the database to store these details. The subscriber is then redirected to the website of the 3rd party system (similar to paypal) to process the payment. Once the payment is succesful, the 3rd party website then redirect the subscriber back to our website. At this time, I know that the payment was succesful, so the record in the database is updated to indicate that payment has been made successfully. A problem that I have found occurring quite often is that if a subscriber pays but does not complete the process correctly (e.g. uses the back browser, closes the window), his/her record in the database doesn't get updated about this. Accordingly, I don't know if s/he has paid by just looking the record and need to wait for the report from the 3rd party system to find this out. How do you solve this problem? PS. One of the main reasons to store their details into the database before the payment process is done is so they can come back to complete the payment without re-entering their details again. For example, when their credit cards were rejected by the 3rd party system and they need to sort this out with their financial institution which may take a while.

    Read the article

  • How do I put an ASP.NET website project and class library projects in one .sln file on Subversion

    - by JustinP8
    My company has several class libraries we use in multiple website projects (not web application projects). Website projects don't have .sln files, but I'm sure I've read in my past research that you can make a blank solution and put your website and class library projects in it. After answers to my previous questions, this is the direction that I'm going (based slightly on [http://amadiere.com/blog/2009/06/multiple-subversion-projects-in-one-visual-studio-solution-using-svnexternals/][1]: /websites /website1 /trunk /website1 /libraries /library1 /trunk /library1 /library2 /trunk /library2 /etc... Then I planed on using svn:externals to copy /library1, /library2, and so on into the working_copy/websites/website1/ folder. I want my team members to be able to checkout the /trunk folder for website1 and get a .sln file, /library1 external, /library2 external, etc. I want that .sln file to contain the website1 website project, and all of the library external projects. Hopefully that would look something like: /working_copy /websites /website1 /trunk /website1 /library1 (svn:external of libraries/library1/trunk/library1) /library2 (svn:external of libraries/library2/trunk/library2) /etc. website1.sln So, at the end of all of this, the goal is that my teammates check out the trunk, open the solution, and everyone has the exact same solution. When we commit, everything is committed appropriately to subversion (the website code, and the libraries are committed to their appropriate place on the repo). How have others solved these issues? How can I make a .sln file that my team members and I can share in this manner? [1]: "This Article"

    Read the article

  • IEnumerable and IEnumerator in the same class, bad idea?

    - by David Rutten
    Is this a bad idea? Private Class GH_DataStructureEnumerator(Of Q As Types.IGH_Goo) Implements IEnumerable(Of Q) Implements IEnumerator(Of Q) .... .... 'Current, MoveNext, Reset etc.' .... .... Public Function GetEnumerator_Generic() As IEnumerator(Of Q) _ Implements IEnumerable(Of Q).GetEnumerator Return Me End Function End Class This class is only visible as an IEnumerable(Of T) readonly property, and it saves me an additional class that wraps IEnumerator(Of T). But somehow it just seems wrong. Is there a better way?

    Read the article

  • Guidelines for good webcrawler 'Etiquette'

    - by Harry
    I'm building a search engine (for fun) and it has just struck me that potentially my little project might wreak havok by clicking on ads and all sorts of problems. So what are the guidelines for good webcrawler 'Etiquette'? Things that spring to mind: Observe Robot.txt instructions Limit the number of simultaneous requests to the same domain Don't follow ad links? Stopping the crawler from clicking on ads - This one is particularly on my mind at the moment... how do i stop my bot from 'clicking' on ads? if it is going straight to the url in the ad is it counted as a click?

    Read the article

  • Overcoming C limitations for large projects

    - by Francisco Garcia
    One aspect where C shows its age is the encapsulation of code. Many modern languages has classes, namespaces, packages... a much more convenient to organize code than just a simple "include". Since C is still the main language for many huge projects. How do you to overcome its limitations? I suppose that one main factor should be lots of discipline. I would like to know what you do to handle large quantity of C code, which authors or books you can recommend.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 87 88 89 90 91 92 93 94 95 96 97 98  | Next Page >