security

问题 Consider the setup where a list of ids and passwords are stored in a database on a server and when a user enters his login credentials then the code-behind verifies it against the server and sets values like Session["id"] Session["login"] to determine whether user has access to certain page. When a user attempts to browse to a page, the page looks at session variables and then relocates the user if need be and adjusts the buttons on its page accordingly. How secure is this setup. The built in

问题 This question already has answers here : Secure hash and salt for PHP passwords (14 answers) Closed 6 years ago . I was just reading a post to create a login system and while reading I saw about password hashing. We are going to store an sha256 hash which is a string always containing 64 characters. This article is teaching to use sha256 hash function. After reading this, I did not stop and started to search more about creating secure login system and then I came up with this article by

问题 I'm writing a php application that accepts sensitive customer data, and so I need to encrypt it before storing it in a mysql database. I'm going to use mysql's built-in AES functionality to do column-level encryption. I want to avoid storing the encryption key on the server, and so i'm going to provide a web-page for an administrator to log-in, and enter the encryption key. I want to store this key in memory while the application is running, but never permanently to disk. What is the best way

问题 What security holes can appear on my site by including external images via img tag and how to avoid them? I'm currently only checking the extension and mime-type of image on submission (that can be changed after URL is submitted) and URL is sanitized before putting it in src attribute. 回答1: There's probably a differentiation to be made here between who is at risk. If all you're doing is storing URLs, and not uploading images to your server, then your site is probably safe, and any potential

问题 I understand why this is happening but I need a work-around. I looked into some other questions on StackOverflow but none of them was helpful. I do not want disable input validation throughout the whole website because that is definitely dangerous. I have only one (at least for now) place where I need to disable input validation. I decorated the Action Method with [ValidateInput(false)] attribute, and I'm encoding the strings with Html.Encode. But still, I get the same error. Here's my view:

问题 I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being advised addslashes is better than htmlentities when echoing user-entered data back to users to protect their data, but it seems like addslashes is the one

问题 The code below uses an unsafe GeneralizedNewtypeDeriving extension to break Data.Set by inserting different elements with different Ord instances: {-# LANGUAGE GeneralizedNewtypeDeriving #-} import Data.Set import System.Random class AlaInt i where fromIntSet :: Set Integer -> Set i toIntSet :: Set i -> Set Integer instance AlaInt Integer where fromIntSet = id toIntSet = id newtype I = I Integer deriving (Eq, Show, AlaInt) instance Ord I where compare (I n1) (I n2) = compare n2 n1 -- sic!

问题 I require AES256 encryption/decryption in a commercial web application. Currently everything is good with a key size of 128. This is not satisfactory cryptographically so my problem is how best to get round this issue without requiring the user to install anything manually. I have the unlimited jurisdiction jar files from Oracle but I have no idea if replacing these in the user's JRE/lib/security directory will be compatible with older versions. Obviously I don't want to corrupt the user's

问题 When we free() memory in C, why is that memory not filled with zero? Is there a good way to ensure this happens as a matter of course when calling free() ? I'd rather not risk leaving sensitive data in memory released back to the operating system... 回答1: Zeroing out the memory block when freeing it will require extra time. Since most of time there's actually no need in it it is not done by default. If you really need (say you used memory for storing a password or a cryptographic key) - call

问题 I'm trying to configure access to my EB environments, and would like to restrict HTTP access (through the ELB) to certain IP addresses. I have an out of the box EB app (a bunch, actually, with a few environments each) and would like be able to (a) restrict access to specific sets of IPs while (b) having all traffic come through the ELBs. Critically, I'd like to do this by (c) creating a few groups (e.g an admin SG that allows my IP, and a dev SG that allows a team's IPs, and a public SG that