security

问题 I'm going through OWASP Cross Site Scripting Prevent Cheat Sheet. In rule #3 it says: Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED! <script> window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); </script> To clarify: I know that using setInterval et al. is safe with your own content. I know that one must validate, escape and/or sanitise external content. My understanding is that rule

问题 I'm thinking about trying Firebase and have spent the day looking at example projects and the docs and I seem to be misunderstanding something, probably because I'm used to server/client-side architectures where the "interesting" parts of the code would be server-side: According to the examples basically all the code would be using the Firebase commands in the client-side JavaScript. But wouldn't that expose almost 100% of my codebase/logic to the public? How do I secure my code in Firebase

问题 I am coding an MVC internet application, and I have a question in regards to using the ViewBag. In many of my controllers, I have SelectList objects, where the user can select an object. The object that is selected is a foreign key value for my model. My question is this: Should I use ViewBag for this? How secure is the ViewBag? Should I use values in my ViewModel instead of the ViewBag? Thanks in advance. 回答1: Use your view model. When the ViewBag was implemented (MVC 3) dynamic typing was

问题 Being a novice with PHP, I may not be taking the correct route with forms but this way works for me, up to a point. Below is an example of my setup/ I have a form at www.foo.com/add.php, which needs an admin to be logged in to the session. The form inserts data into a database. Once it is submitted, the actions is set to action="scripts/add.php" and then that is redirected using a PHP header function to www.foo.com/done.php . What I want to know is, can you deny access to the script file

问题 I'm attempting to query an encrypted field in postgres using "pgp_sym_encrypt". I'm running my test by setting all the first names in my table to an encrypted value: update person set first_name = pgp_sym_encrypt('test', 'password'); Then selecting on it: select * from person where first_name = pgp_sym_encrypt('test', 'password'); This returns no results. If I change it to use the normal postgres encryption it will return all the rows in the table: update person set first_name = encrypt('test

问题 I'm attempting to query an encrypted field in postgres using "pgp_sym_encrypt". I'm running my test by setting all the first names in my table to an encrypted value: update person set first_name = pgp_sym_encrypt('test', 'password'); Then selecting on it: select * from person where first_name = pgp_sym_encrypt('test', 'password'); This returns no results. If I change it to use the normal postgres encryption it will return all the rows in the table: update person set first_name = encrypt('test

问题 I just got a task to work on an old-styled-developed webpage. It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-( I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine. My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?). Is there anything else I could do? 回答1: Move the

问题 I just got a task to work on an old-styled-developed webpage. It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-( I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine. My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?). Is there anything else I could do? 回答1: Move the

问题 I just got a task to work on an old-styled-developed webpage. It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-( I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine. My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?). Is there anything else I could do? 回答1: Move the

问题 The Java Servlet 3.0 and 3.1 specifications allow developers to perform many of the common configuration based tasks in Java code rather than via the traditional mechanism of providing a web.xml file. I have all of this working for my application, but upon looking to tackle application security, I could not find any reference to how or if it is possible to also configuration application security constraints via code. Basically, I am looking for a programmatic way to do the following: