security

问题 I'm storing username and password in a MySQL database and have them hashed using MD5. However, I'm only using the standard PHP function without any modification. Now, I read that MD5 is broken. How are you doing it? Do you run it several times through a different hash mechanism or add some form of salt? 回答1: I'm amazed how people jump on the bandwagon of "damn, it's broken, I won't use it!", don't do the same mistake. You can't make the MD5 better. Even using SHA-1 is vulnerable to same type

问题 I am looking for a way to add a CSRF token to an application I'm making. The caveat is, the application does not currently use cookies or sessions. I would love to find a way to introduce a CSRF token without having to: Introduce state in my application. Use session or cookie ( $_SESSION / $_COOKIE ) storage Is this at all a possibility, or am I stuck creating new state in my application. 回答1: You can, but it's not going to be very secure. Here's an example BUT DO NOT USE THIS, IT IS PROBABLY

问题 I currently have a tree structure containing data elements; on each of these, it is possible to perform basic CRUD operations. From here, I need to implement per-user permissions for each of these four actions. So a given user could be given Create and Read, but no Update or Delete permission. These permissions would then cascade down the tree to any children of the permitted object; therefore, that given user would have Create and Read for any child objects of the root object. What's the

问题 I want to make a Node.js daemon that runs on multiple computers and is able to exchange messages between the different daemons. Of course the communication should be encrypted, but I really don't know what kind of encryption I should use for server-to-server encryption. The protocol I'm using right now is TCP via net.createServer. How should I encrypt the communication assuming I have a already exchanged password on both devices? How do I make it secure to the most known attacks? Edit: Is

问题 I am doing some research for a future project and it requires some data to be encrypted. In my research today, I have noticed that there are many different encryption algorithms (including AES, Triple-DES, X-DES etc) and I wish to use one of the algorithms in SQL-Server (2008r2 express probs), how would you recommend doing this, like best practices etc? I am planning to do something like the following: -- Create the master key. CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Som3Rand0m!3y?na' --

问题 I want to make a Node.js daemon that runs on multiple computers and is able to exchange messages between the different daemons. Of course the communication should be encrypted, but I really don't know what kind of encryption I should use for server-to-server encryption. The protocol I'm using right now is TCP via net.createServer. How should I encrypt the communication assuming I have a already exchanged password on both devices? How do I make it secure to the most known attacks? Edit: Is

问题 I'm trying to lock down a registry key with some important information that must be accessible at the client machine, I do not wan't non-administrators to have access to this key. If you are an admin you'll already be able to do more damage than what I'm storing in the key. What I'm currently looking to do is this: //Allow access only to administrators and deny all rights to everyone else. System.Security.AccessControl.RegistrySecurity acl = new System.Security.AccessControl.RegistrySecurity(

问题 Hi We have some php code using the file_get_contents() function, and I understand this is vulnerable to direcoty traversel attacks. Given the following code: $mydata=$_GET['thefile']; $data = file_get_contents ('/var/html'.$file); echo $data How can I do some simple input filtering so I can block the posibility that someone might do directory traversel by playing around with my input? /MR 回答1: You want basename: $mydata = basename(realpath($_GET['thefile'])); Appended to (slight modifications

问题 Hi We have some php code using the file_get_contents() function, and I understand this is vulnerable to direcoty traversel attacks. Given the following code: $mydata=$_GET['thefile']; $data = file_get_contents ('/var/html'.$file); echo $data How can I do some simple input filtering so I can block the posibility that someone might do directory traversel by playing around with my input? /MR 回答1: You want basename: $mydata = basename(realpath($_GET['thefile'])); Appended to (slight modifications

问题 I wrote a Web Application and I would like to allow other developers to get the information from it. The server Im working on is not that awsome and cant handle that many request, so the idea is to generate and assign api keys to everyone that wants to query our information. With Api keys I can limit the daily requests and perhaps collect some statistics to see what information is really useful for the other developers. The thing is, Im concerned about the security aspect of it. Since the Api