security

问题 My goal is to safely open a web page in a users default browser. The URL for this web page is considered "untrusted" (think of it as a link in a document opened with this software, but the document could be from anywhere and the links in it could be malicious) I want to avoid someone passing "C:\Windows\malicious_code.exe" off as a URL My current thought is to do something like this: Uri url = new Uri(urlString, UriKind.Absolute); if( url.Scheme == Uri.UriSchemeHttp || url.Scheme == Uri

问题 Am new to web development. I am curious as to how people do it. I am writing some php code that uses a mysql DB. I have the password hardcoded in the code as of now. This code can be checked out by all devs and so every one has access to the password. Seems very very wrong to me. On top of that I can think of some complications. I am listing the issues in bullet point form - Password hard coded in code is wrong. I don't want all devs to have access to it as all of them can check out the code.

问题 Am new to web development. I am curious as to how people do it. I am writing some php code that uses a mysql DB. I have the password hardcoded in the code as of now. This code can be checked out by all devs and so every one has access to the password. Seems very very wrong to me. On top of that I can think of some complications. I am listing the issues in bullet point form - Password hard coded in code is wrong. I don't want all devs to have access to it as all of them can check out the code.

问题 THE GOAL: I am trying to allow externally loaded swf files communicate with each other that are locally loaded from the device. I need to be able to have access to vars and functions and objects. I have accheived this while loading swf content from the web here: as3 externally loaded swf from network to control externally loaded swf from network BUT WHEN I GIVE THE USER THE OPTION TO LOAD FROM DEVICE OR FROM ONLINE ... The device swf files can't communicate with each other. Specifically the

问题 I'm making a newsletter editor which will allow file uploads (the sender of the newsletter can upload files to the server which will be linked to in the email). The site is set up so that only .do URIs are actually executed/handled by servlets so it's not much of a security risk, but I've been told to blacklist .jsp, .php, .asp, .aspx, .exe, .com, and .bat. This does not strike me as a comprehensive blacklist, and I've the impression that blacklists are not a good policy. On the other hand, a

问题 I'm trying to set session data for users when they log in to my website. So if the user exists in db, I set a session data like : $this->session->set_userdata('user_exists','1'); Now every time i want to check if user exists and is logged i do: if($this->session->userdata('user_exists')){ //do somenthing for logged user } Now I'm wondering if this means that user is logged and exists in the database since he logged and I set him a session param, is this true? Or I'll get security problems? NB

问题 I'm trying to set session data for users when they log in to my website. So if the user exists in db, I set a session data like : $this->session->set_userdata('user_exists','1'); Now every time i want to check if user exists and is logged i do: if($this->session->userdata('user_exists')){ //do somenthing for logged user } Now I'm wondering if this means that user is logged and exists in the database since he logged and I set him a session param, is this true? Or I'll get security problems? NB

问题 There are reported problems with our web application which only seem to be happening at one client's site. For diagnostic purposes, is there any way you can get a client to send you their IE Security custom settings ? e.g. In IE 8, Tools -> Internet Options -> Security Tab, for the "Internet" zone, you can click "Custom Level" to see the custom security settings. Is there some way the user can export their settings to a text file or something ? Or are screen dumps the only way ? EDIT : sorry,

问题 I would like to remove vulnerabilities to XSS / JavaScript injection in a web application where users are allowed to use an editor like CKEditor which allows arbitrary HTML (and whether my specific choice of editor allows arbitrary HTML or not, blackhats will be able to submit arbitrary HTML anyway). So no JavaScript, whether SCRIPT tags, ONCLICK and family, or whatever else. The target platform is Python and Django. What are my best options here? I am open to an implementation that would

问题 is there any HTTP-header to disable Javascript for a specific page? My website delivers user-generated HTML-content (that is why I cannot just use htmlenitities ) and I would like to prevent scripting (JavaScript injections). I already use HttpOnly-cookies being set for authentication on the main domain only, while user content is only displayed on subdomains where the cookie cannot be read. The problem is that there are still too many possibilities to execute JavaScript - for example using