secure-coding

问题 I want to create a temporary file in POSIX shell ( /bin/sh ). I found out that mktemp(1) doens't exist on my AIX box, and according to How portable is mktemp(1)?, it isn't that portable and/or secure anyway. So, what should I use instead ? 回答1: Why not use /dev/random ? It could be neater with perl but od and awk will do, something like: tempfile=XXX-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') 回答2: You didn't exactly define "secure", but one element of it is probably to clean up

问题 <?php require_once 'login.php'; require_once 'welcome.php'; $db_server = mysql_connect($db_hostname,$db_username,$db_password); if(!$db_server) die("Unable to connect with MySql : " . mysql_error()); mysql_select_db($db_database) or die("Unable to connect with db"); echo <<<_END <form action = 'ps.php' method = 'post'><pre> Enter your Username <input type = 'text' name = 'username'> Enter your Password <input type = 'text' name = 'password'> <input type = 'submit' value = 'Cl1ck M3'> </pre><

问题 <?php require_once 'login.php'; require_once 'welcome.php'; $db_server = mysql_connect($db_hostname,$db_username,$db_password); if(!$db_server) die("Unable to connect with MySql : " . mysql_error()); mysql_select_db($db_database) or die("Unable to connect with db"); echo <<<_END <form action = 'ps.php' method = 'post'><pre> Enter your Username <input type = 'text' name = 'username'> Enter your Password <input type = 'text' name = 'password'> <input type = 'submit' value = 'Cl1ck M3'> </pre><

问题 I am looking for a comprehensive record of secure coding practices in C++. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc.. NB: Besides coding practices, secure libraries that defend

问题 How does one store sensitive data (ex: passwords) in std::string ? I have an application which prompts the user for a password and passes it to a downstream server during connection setup. I want to securely clear the password value after the connection has been established. If I store the password as a char * array, I can use APIs like SecureZeroMemory to get rid of the sensitive data from the process memory. However, I want to avoid char arrays in my code and am looking for something

问题 I need an IDE that will find problems in my code, those I have tried just don't do it good enough... Iv'e tried Eclipse and IntelliJ IDEA already. is there any good option? Thank you.. 回答1: My team recently released a public preview for DevSkim, an open-source IDE plugin that flags security issues as you type them. Think "spell-check for security bugs". It doesn't provide the same level of depth as "real" static analyzers (it's just using regular expressions), but we think it serves an

问题 I want to know whether the PHP serialize function is 100% secure, also if we store serialized data into a database and want to do something after fetching it, will it be a nice way. For example:- I have a website with different user privileges, now i want to store the permissions settings for a particular privilege to my database (This data i want to store is to be done through php serialize function), now when a user logs in i want to fetch this data and set the privilege for the customer.

问题 I am working on removing SECURITY CODING violation in my product. My code has lot of sprintf , coverity tool is suggesting me to use snprintf , But C++ also has std::stringstream . Will it be a good idea to use std::stringstream in place of snprintf 回答1: std::stringstream is typesafe, use operator <<, use internal buffer, part of C++, not so fast as sprintf . sprintf is not typesafe, not use c++ operators, use external buffer, use elipsis, which can works only with POD types, inherited from C

问题 I am currently working on a project which uses Blogger API from Google. Day before yesterday (saturday) someone attacked my application and grab the API Key, My daily limit for accessing posts is 100,000 (100K/24 hrs). I hit limit on Saturday (I suspect that those were fraudulent clicks made using my API key, since I've only around 4K customers using the application, I embedded the API key in client side code ). After that, In five minutes API limit reached again (after 24 hrs) 5K. So I

问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 4 years ago . Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a file path API input from traversing upwards of a given "root" path? I have a class that contains a root folder