Search Results

Search found 305 results on 13 pages for 'salt racer'.

Page 11/13 | < Previous Page | 7 8 9 10 11 12 13  | Next Page >

  • Comparing Isis, Google, and Paypal

    - by David Dorf
    Back in 2010 I was sure NFC would make great strides, but here we are two years later and NFC doesn't seem to be sticking. The obvious reason being the chicken-and-egg problem.  Retailers don't want to install the terminals until the phones support NFC, and vice-versa. So consumers continue to sit on the sidelines waiting for either side to blink and make the necessary investment.  In the meantime, EMV is looking for a way to sneak into the US with the help of the card brands. There are currently three major solutions that are battling in the marketplace.  All three know that replacing mag-stripe alone is not sufficient to move consumers.  Long-term it's the offers and loyalty programs combined with tendering that make NFC attractive. NFC solutions cross lots of barriers, so a strong partner system is required.  The solutions need to include the carriers, card brands, banks, handset manufacturers, POS terminals, and most of all lots of merchants.  Lots of coordination is necessary to make the solution seamless to the consumer. Google Wallet Google's problem has always been that only the Nexus phone has an NFC chip that supports their wallet.  There are a couple of additional phones out there now, but adoption is still slow.  They acquired Zavers a while back to incorporate digital coupons, but the the bulk of their users continue to be non-NFC.  They have taken an open approach by not specifying particular payment brands.  Google is piloting in San Francisco and New York, supporting both MasterCard PayPass and stored value. I suppose the other card brands may eventually follow.  There's no cost for consumers or merchants -- Google will make money via targeted ads. Isis Not long after Google announced its wallet, AT&T, Verizon, and T-Mobile announced a joint venture called Isis.  They are in the unique position of owning the SIM in the phones they issue.  At first it seemed Isis was a vehicle for the carriers to compete with the existing card brands, but Isis later switched to a generic wallet that supports the major card brands.  Isis reportedly charges issuers a $5 fee per customer per year.  Isis will pilot this summer in Salt Lake City and Austin. PayPal PayPal, the clear winner in the online payment space beyond traditional credit cards, is trying to move into physical stores.  After negotiations with Google to provide a wallet broke off, PayPal decided to avoid NFC altogether, at least for now, and focus on payments without any physical card or phone.  By avoiding NFC, consumers don't need an NFC-enabled phone and merchants don't need a new reader.  Consumers must enter their phone number and PIN in the merchant's existing device, or they can enter their PIN in the PayPal inStore app running on their phone, then show the merchant a unique barcode which authorizes payment. Paypal is free for consumers and charges a fee for merchants.  Its not clear, at least to me, how PayPal handles fraudulent transactions and whether the consumer is protected. The wildcard is, of course, Apple.  Their mobile technologies set the standard, so incorporating NFC chips would certainly accelerate adoption of many payment solutions.  Their announcement today of the iOS Passbook is a step in the right direction, but stops short of handling payments. For those retailers that have invested in modern terminals, it seems the best strategy is to support all the emerging solutions and let the consumers choose the winner.

    Read the article

  • Using Crypt function Python 3.3.2

    - by adampski
    In Windows and Python version 3.3.2, I try and call the python module like so: hash2 = crypt(word, salt) I import it at the top of my program like so: from crypt import * The result I get is the following: Traceback (most recent call last): File "C:\none\of\your\business\adams.py", line 10, in <module> from crypt import * File "C:\Python33\lib\crypt.py", line 3, in <module> import _crypt ImportError: No module named '_crypt' However, when I execute the same file adams.py in Ubuntu, with Python 2.7.3, it executes perfectly - no errors. I tried the following to resolve the issue for my Windows & Python 3.3.2 (though I'm sure the OS isn't the issue, the Python version or my use of syntax is the issue): Rename the directory in the Python33 directory from Lib to lib Rename the crypt.py in lib to _crypt.py. However, it turns out the entire crypt.py module depends on an external module called _crypt.py too. Browsed internet to download anything remotely appropriate to resemble _crypt.py It's not Python, right? It's me...(?) I'm using syntaxes to import and use external modules that are acceptable in 2.7.3, but not in 3.3.2. Or have I found a bug in 3.3.2?

    Read the article

  • Silverlight and Encryption, how to store/generate they key/iv pair?

    - by cmaduro
    I have a Silverlight app that connects to a php webservice. I want to encrypt the communication between the webservice and the Silverlight client. I'm not relying on SSL. I'm encrypting/decrypting the POST string myself using AES 256bit Key and IV. The big questions then are: How do I generate a random unique key/iv pair in PHP. How do I share this key/iv pair between the web service and silverlight client in a secure way. It seems impossible without having some kind of hard coded key or iv on the client. Which would compromise security. This is a public website, there are no logins. Just the requirement of secure communication. I can hard code the seed for the key/iv (which is hashed with SHA256 with a time stamp salt and then assigned as the key or iv) in PHP source code, that's on the server so that is pretty safe. However on the client the seed for the key/iv pair would be visible, if it is hard coded. Further more using a time stamp as the basis for uniqueness/randomness is definitely not ok, since timestamps are predictable. It does however provide a common factor between the C# code and the PHP code. The only other option that I can think of would be to have a 3rd service involved that provides the key/iv to the Silverlight client, as well as the php webservice. This of course start the cycle anew, with the question of how to store the credentials for accessing the key/iv distribution service on the Silverlight client. Sounds like the solution is then asymmetric encryption, since sensitive data will be viewed only on the administrative back end of the website. Unfortunately Silverlight has no asymmetric encryption classes. The solution? Roll my own Diffie-Hellman key exchange! Plug that key into AES256!

    Read the article

  • A Question about .net Rfc2898DeriveBytes class?

    - by IbrarMumtaz
    What is the difference in this class? as posed to just using Encoding.ASCII.GetBytes(string object); I have had relative success with either approach, the former is a more long winded approach where as the latter is simple and to the point. Both seem to allow you to do the same thing eventually but I am struggling to the see the point in using the former over the latter. The basic concept I have been able to grasp is that you can convert string passwords into byte arrays to be used for e.g a symmetric encryption class, AesManaged. Via the RFC class but you get to use SaltValues and password when creating your rfc object. I assume its more secure but still thats an uneducated guess at best ! Also that it allows you to return byte arrays of a certain size, well something like that. heres a few examples to show you where I am coming from? byte[] myPassinBytes = Encoding.ASCII.GetBytes("some password"); or string password = "P@%5w0r]>"; byte[] saltArray = Encoding.ASCII.GetBytes("this is my salt"); Rfc2898DeriveBytes rfcKey = new Rfc2898DeriveBytes(password, saltArray); The 'rfcKey' object can now be used towards setting up the the .Key or .IV properties on a Symmetric Encryption Algorithm class. ie. RijndaelManaged rj = new RijndaelManaged (); rj.Key = rfcKey.Getbytes(rj.KeySize / 8); rj.IV = rfcKey.Getbytes(rj.Blocksize / 8); 'rj' should be ready to go ! The confusing part ... so rather than using the 'rfcKey' object can I not just use my 'myPassInBytes' array to help set-up my 'rj' object???? I have tried doing this in VS2008 and the immediate answer is NO ! but have you guys got a better educated answer as to why the RFC class is used over the other alternative I have mentioned above and why????

    Read the article

  • Using JSON with jRails

    - by Zachary
    I am currently trying to use AJAX in my application via jRails. I am trying to return a JSON object from my controller, and then parse it in my Javascript. I am using json2.js to do the parsing. Here is the code I currently have: function getSomething() { $.ajax({ type: "GET", url: "map/testjson", success: function(data) { var myData = JSON.parse(data[0]); window.alert(myData.login); } }); } and in the controller: class Map::MapController < ApplicationController def index end def testjson @message = User.find(:all) ActiveRecord::Base.include_root_in_json = false respond_to do |w| w.json { render :json => @message.to_json } end end end The window.alert simply says 'undefined' (without tics). However, if I change the javascript to window.alert(data) (the raw object returned by the controller) I get: [{"salt":"aSalt","name":"", "created_at":"2010-03-15T02:34:25Z","remember_token_expires_at": null,"crypted_password":"aPassword", "updated_at":"2010-03-15T02:34:25Z","id":1,"remember_token":null, "login":"zgwrig2","email":"[email protected]"}] This looks like an array of size 1, if I'm looking at it correctly, but I have tried just about every combination of JSON.parse on the data object that I can think of, and nothing seems to work. Any ideas on what I'm doing wrong here?

    Read the article

  • Encryption in Java & Flex

    - by Jef
    I want tp encrypt and decrypt string, with defined salt. But the result must be same if the code run in java and adobe flex. The main goal is: the app in adobe flex will be generate a string that can be decrypt in server using java. I use this flex library http://crypto.hurlant.com/demo/ Try to 'Secret Key' Tab. I want to use AES Encryption, 'CBC' or 'PKCS5'. var k:String = "1234567890123456"; var kdata:ByteArray = Hex.toArray(k); var txt:String = "hello"; var data:ByteArray = Hex.toArray(Hex.fromString(txt));; var name:String = "simple-aes-cbc"; var pad:IPad =new PKCS5(); var mode:ICipher = Crypto.getCipher(name, kdata, pad); pad.setBlockSize(mode.getBlockSize()); mode.encrypt(data); encrypted.text=Hex.fromArray(data); trace(Hex.fromArray(data)); And here is the code in java String plaintext = "hello"; String key = "1234567890123456"; SecretKey keyspec = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE,keyspec); byte[] encrypted = cipher.doFinal(plaintext.getBytes()); BASE64Encoder base64 = new BASE64Encoder(); String encodedString = base64.encode(encrypted); System.out.println(encodedString); Why the result is not same? Can you guys provide the sample with the same result both of java and flex (encrypt and decrypt)? And if I want to change the paramater, for example, from cbc to ebc, which line that need to be changed? Thanks!

    Read the article

  • Invalidating Memcached Keys on save() in Django

    - by Zack
    I've got a view in Django that uses memcached to cache data for the more highly trafficked views that rely on a relatively static set of data. The key word is relatively: I need invalidate the memcached key for that particular URL's data when it's changed in the database. To be as clear as possible, here's the meat an' potatoes of the view (Person is a model, cache is django.core.cache.cache): def person_detail(request, slug): if request.is_ajax(): cache_key = "%s_ABOUT_%s" % settings.SITE_PREFIX, slug # Check the cache to see if we've already got this result made. json_dict = cache.get(cache_key) # Was it a cache hit? if json_dict is None: # That's a negative Ghost Rider person = get_object_or_404(Person, display = True, slug = slug) json_dict = { 'name' : person.name, 'bio' : person.bio_html, 'image' : person.image.extra_thumbnails['large'].absolute_url, } cache.set(cache_key) # json_dict will now exist, whether it's from the cache or not response = HttpResponse() response['Content-Type'] = 'text/javascript' response.write(simpljson.dumps(json_dict)) # Make sure it's all properly formatted for JS by using simplejson return response else: # This is where the fully templated response is generated What I want to do is get at that cache_key variable in it's "unformatted" form, but I'm not sure how to do this--if it can be done at all. Just in case there's already something to do this, here's what I want to do with it (this is from the Person model's hypothetical save method) def save(self): # If this is an update, the key will be cached, otherwise it won't, let's see if we can't find me try: old_self = Person.objects.get(pk=self.id) cache_key = # Voodoo magic to get that variable old_key = cache_key.format(settings.SITE_PREFIX, old_self.slug) # Generate the key currently cached cache.delete(old_key) # Hit it with both barrels of rock salt # Turns out this doesn't already exist, let's make that first request even faster by making this cache right now except DoesNotExist: # I haven't gotten to this yet. super(Person, self).save() I'm thinking about making a view class for this sorta stuff, and having functions in it like remove_cache or generate_cache since I do this sorta stuff a lot. Would that be a better idea? If so, how would I call the views in the URLconf if they're in a class?

    Read the article

  • Simple imeplementation of admin/staff panel?

    - by Michael Mao
    Hi all: A new project requires a simple panel(page) for admin and staff members that : Preferably will not use SSL or any digital ceritification stuff, a simple login from via http will just be fine. has basic authentication which allows only admin to login as admin, and any staff member as of the group "staff". Ideally, the "credentials(username-hashedpassword pair)" will be stored in MySQL. is simple to configure if there is a package, or the strategy is simple to code. somewhere (PHP session?) somehow (include a script at the beginning of each page to check user group before doing anything?), it will detect any invalid user attempt to access protected page and redirect him/her to the login form. while still keeps high quality in security, something I worry about the most. Frankly I am having little knowledge about Internet security, and how modern CMS such as WordPress/Joomla do with their implementation in this. I only have one thing in my mind that I need to use a salt to hash the password (SHA1?) to make sure any hacker gets the username and password pair across the net cannot use that to log into the system. And that is what the client wants to make sure. But I really not sure where to start, any ideas? Thanks a lot in advance.

    Read the article

  • Script throwing unexpected operator when using mysqldump

    - by Astron
    A portion of a script I use to backup MySQL databases has stopped working correctly after upgrading a Debian box to 6.0 Squeeze. I have tested the backup code via CLI and it works fine. I believe it is in the selection of the databases before the backup occurs, possibly something to do with the $skipdb variable. If there is a better way to perform the function then I'm will to try something new. Any insight would be greatly appreciated. $ sudo ./script.sh [: 138: information_schema: unexpected operator [: 138: -1: unexpected operator [: 138: mysql: unexpected operator [: 138: -1: unexpected operator Using bash -x script here is one of the iterations: + for db in '$DBS' + skipdb=-1 + '[' test '!=' '' ']' + for i in '$IGGY' + '[' mysql == test ']' + : + '[' -1 == -1 ']' ++ /bin/date +%F + FILE=/backups/hostname.2011-03-20.mysql.mysql.tar.gz + '[' no = yes ']' + /usr/bin/mysqldump --single-transaction -u root -h localhost '-ppassword' mysql + /bin/tar -czvf /backups/hostname.2011-03-20.mysql.mysql.tar.gz mysql.sql mysql.sql + rm -f mysql.sql Here is the code. if [ $MYSQL_UP = "yes" ]; then echo "MySQL DUMP" >> /tmp/update.log echo "--------------------------------" >> /tmp/update.log DBS="$($MYSQL -u $MyUSER -h $MyHOST -p"$MyPASS" -Bse 'show databases')" for db in $DBS do skipdb=-1 if [ "$IGGY" != "" ] ; then for i in $IGGY do [ "$db" == "$i" ] && skipdb=1 || : done fi if [ "$skipdb" == "-1" ] ; then FILE="$DEST$HOST.`$DATE +"%F"`.$db.mysql.tar.gz" if [ $ENCRYPT = "yes" ]; then $MYSQLDUMP -u $MyUSER -h $MyHOST -p"$MyPASS" $db > $db.sql && $TAR -czvf - $db.sql | $OPENSSL enc -aes-256-cbc -salt -out $FILE.enc -k $ENC_PASS && rm -f $db.sql else $MYSQLDUMP --single-transaction -u $MyUSER -h $MyHOST -p"$MyPASS" $db > $db.sql && $TAR -czvf $FILE $db.sql && rm -f $db.sql fi fi done fi

    Read the article

  • If attacker has original data and encrypted data, can they determine the passphrase?

    - by Brad Cupit
    If an attacker has several distinct items (for example: e-mail addresses) and knows the encrypted value of each item, can the attacker more easily determine the secret passphrase used to encrypt those items? Meaning, can they determine the passphrase without resorting to brute force? This question may sound strange, so let me provide a use-case: User signs up to a site with their e-mail address Server sends that e-mail address a confirmation URL (for example: https://my.app.com/confirmEmailAddress/bill%40yahoo.com) Attacker can guess the confirmation URL and therefore can sign up with someone else's e-mail address, and 'confirm' it without ever having to sign in to that person's e-mail account and see the confirmation URL. This is a problem. Instead of sending the e-mail address plain text in the URL, we'll send it encrypted by a secret passphrase. (I know the attacker could still intercept the e-mail sent by the server, since e-mail are plain text, but bear with me here.) If an attacker then signs up with multiple free e-mail accounts and sees multiple URLs, each with the corresponding encrypted e-mail address, could the attacker more easily determine the passphrase used for encryption? Alternative Solution I could instead send a random number or one-way hash of their e-mail address (plus random salt). This eliminates storing the secret passphrase, but it means I need to store that random number/hash in the database. The original approach above does not require storage in the database. I'm leaning towards the the one-way-hash-stored-in-the-db, but I still would like to know the answer: does having multiple unencrypted e-mail addresses and their encrypted counterparts make it easier to determine the passphrase used?

    Read the article

  • LINQDataSource and private columns

    - by fyjham
    Hey, I was trying to use a ListView bound to a LinqDataSource to insert to a table where I had a few columns private to the table class (Specifically password columns - only access I want to give outside the class is methods that generate the salt and encrypt the password to store it in 1 go). I gave this a few shots, but I didn't come up with anything I really liked... was wondering if anyone has a better way to do this. The methods I've found: Use the LinqDataSource inserting event and make the appropriate calls on e.NewObject. I don't really like this because it's so far removed from the actual input and there's no simple way to hold the password in the meantime other than a class variable set during the ListView's inserting event (Which works, but seems a little dodgy). Open up these properties and just ask everyone to use the appropriate static methods for encoding the passwords they pass in. I don't really like this cause I'd prefer that class to enforce data integrity rather than relying on all calling code doing it properly... I'm currently going with option #1, but I don't really like passing values between events using class variables like that (It just seems unstructured... even though I can guarantee the events will happen in the right order). Does anyone know a better way, or alternatively am I being too pedantic and one of the methods above is actually the right way to go? Thanks

    Read the article

  • mcrypt decoding errors

    - by Kyle Hudson
    Hi, I have a few issues with the following php functions (part of a bigger class). //encode public function acc_pw_enc($text, $key) { $text_num = str_split($text, 8); $text_num = 8 - strlen($text_num[count($text_num)-1]); for ($i=0; $i < $text_num; $i++) { $text = $text . chr($text_num); } $cipher = mcrypt_module_open(MCRYPT_TRIPLEDES, '', 'cbc', ''); mcrypt_generic_init($cipher, $key, 'fYfhHeDm'); $decrypted = mcrypt_generic($cipher, $text); mcrypt_generic_deinit($cipher); return base64_encode($decrypted); } //decode public function acc_pw_dec($encrypted_text, $key) { $cipher = mcrypt_module_open(MCRYPT_TRIPLEDES, '', 'cbc', ''); mcrypt_generic_init($cipher, $key, 'fYfhHeDm'); $decrypted = mdecrypt_generic($cipher, base64_decode($encrypted_text)); mcrypt_generic_deinit($cipher); $last_char = substr($decrypted, -1); for($i=0; $i < 8-1; $i++) { if(chr($i) == $last_char) { $decrypted = substr($decrypted, 0, strlen($decrypted)-$i); break; } } return rtrim($decrypted); //str_replace("?", "", $decrypted); } So for exampe if i encrypt the string 'liloMIA01' with the salt/key 'yBevuZoMy' i will get '7A30ZkEjYbDcAXLgGE/6nQ=='. I get liloMIA01 as the decrypted value, i tried using rtrim but it didn't work.

    Read the article

  • Setting attributes of a class during construction from **kwargs

    - by Carson Myers
    Python noob here, Currently I'm working with SQLAlchemy, and I have this: from __init__ import Base from sqlalchemy.schema import Column, ForeignKey from sqlalchemy.types import Integer, String from sqlalchemy.orm import relationship class User(Base): __tablename__ = "users" id = Column(Integer, primary_key=True) username = Column(String, unique=True) email = Column(String) password = Column(String) salt = Column(String) openids = relationship("OpenID", backref="users") User.__table__.create(checkfirst=True) #snip definition of OpenID class def create(**kwargs): user = User() if "username" in kwargs.keys(): user.username = kwargs['username'] if "email" in kwargs.keys(): user.username = kwargs['email'] if "password" in kwargs.keys(): user.password = kwargs['password'] return user This is in /db/users.py, so it would be used like: from db import users new_user = users.create(username="Carson", password="1234") new_user.email = "[email protected]" users.add(new_user) #this function obviously not defined yet but the code in create() is a little stupid, and I'm wondering if there's a better way to do it that doesn't require an if ladder, and that will fail if any keys are added that aren't in the User object already. Like: for attribute in kwargs.keys(): if attribute in User: user.__attribute__[attribute] = kwargs[attribute] else: raise Exception("blah") that way I could put this in its own function (unless one hopefully already exists?) So I wouldn't have to do the if ladder again and again, and so I could change the table structure without modifying this code. Any suggestions?

    Read the article

  • Is MVVM killing silverlight development?

    - by DeanMc
    This is a question I have had rattling around in my head for some time. I had a chat with a guy the other night who told me he would not be using the navigational framework because he could not figure out how it works with MVVM. As much as I tried to explain that patterns should be taken with a pinch of salt he would not listen. My point is this, patterns are great when they solve some problem. Sometimes only part of the pattern solves a particular problem while the other parts of it cause different problems. The goal of any developer is to build a solid application using a combination of patterns know how and foresight. I feel MVVM is becoming the one pattern to rule them all. As it is not directly supported by .Net some fancy business is needed to make it work. I feel that people are missing the point of the pattern, which is loosely coupled, testable code and instead jumping through hoops and missing out on great experiences trying to follow MVVM to the letter. MVVM is great but I wish it came with a warning or disclaimer for newbies as my fear is people will shy away from silverlight development for fear of being smacked with the mvvm stick. EDIT: Can I just add as an edit, I use and agree with MVVM as a pattern I know when it is and isn't feasible in my projects. My issue is with the encompassing nature it is taking, as if it HAS to be used as part of development. It is being used as an integral feature and not a pattern, which it is.

    Read the article

  • how do simple SQLAlchemy relationships work?

    - by Carson Myers
    I'm no database expert -- I just know the basics, really. I've picked up SQLAlchemy for a small project, and I'm using the declarative base configuration rather than the "normal" way. This way seems a lot simpler. However, while setting up my database schema, I realized I don't understand some database relationship concepts. If I had a many-to-one relationship before, for example, articles by authors (where each article could be written by only a single author), I would put an author_id field in my articles column. But SQLAlchemy has this ForeignKey object, and a relationship function with a backref kwarg, and I have no idea what any of it MEANS. I'm scared to find out what a many-to-many relationship with an intermediate table looks like (when I need additional data about each relationship). Can someone demystify this for me? Right now I'm setting up to allow openID auth for my application. So I've got this: from __init__ import Base from sqlalchemy.schema import Column from sqlalchemy.types import Integer, String class Users(Base): __tablename__ = 'users' id = Column(Integer, primary_key=True) username = Column(String, unique=True) email = Column(String) password = Column(String) salt = Column(String) class OpenID(Base): __tablename__ = 'openid' url = Column(String, primary_key=True) user_id = #? I think the ? should be replaced by Column(Integer, ForeignKey('users.id')), but I'm not sure -- and do I need to put openids = relationship("OpenID", backref="users") in the Users class? Why? What does it do? What is a backref?

    Read the article

  • How much detail should be in a project plan or spec?

    - by DeanMc
    I have an issue that I feel many programmers can relate to... I have worked on many small scale projects. After my initial paper brain storm I tend to start coding. What I come up with is usually a rough working model of the actual application. I design in a disconnected fashion so I am talking about underlying code libraries, user interfaces are the last thing as the library usually dictates what is needed in the UI. As my projects get bigger I worry that so should my "spec" or design document. The above paragraph, from my investigations, is echoed all across the internet in one fashion or another. When a UI is concerned there is a bit more information but it is UI specific and does not relate to code libraries. What I am beginning to realise is that maybe code is code is code. It seems from my extensive research that there is no 1:1 mapping between a design document and the code. When I need to research a topic I dump information into OneNote and from there I prioritise features into versions and then into related chunks so that development runs in a fairly linear fashion, my tasks tend to look like so: Implement Binary File Reader Implement Binary File Writer Create Object to encapsulate Data for expression to the caller Now any programmer worth his salt is aware that between those three to do items could be a potential wall of code that could expand out to multiple files. I have tried to map the complete code process for each task but I simply don't think it can be done effectively. By the time one mangles pseudo code it is essentially code anyway so the time investment is negated. So my question is this: Am I right in assuming that the best documentation is the code itself. We are all in agreement that a high level overview is needed. How high should this be? Do you design to statement, class or concept level? What works for you?

    Read the article

  • Doctrine/symfony: getSqlQuery() output in phpMyAdmin/SQL tab

    - by user248959
    Hi, i have created this query that works OK: $q1 = Doctrine_Query::create() ->from('Usuario u') ->leftJoin('u.AmigoUsuario a ON u.id = a.user2_id OR u.id = a.user1_id') ->where("a.user2_id = ? OR a.user1_id = ?", array($id,$id)) ->andWhere("u.id <> ?", $id) ->andWhere("a.estado LIKE ?", 1); echo $q1->getSqlQuery(); The calling to getSqlQuery outputs this clause: SELECT s.id AS s_id, s.username AS s_username, s.algorithm AS s_algorithm, s.salt AS s_salt, s.password AS s__password, s.is_active AS s__is_active, s.is_super_admin AS s__is_super_admin, s.last_login AS s__last_login, s.email_address AS s__email_address, s.nombre_apellidos AS s__nombre_apellidos, s.sexo AS s__sexo, s.fecha_nac AS s__fecha_nac, s.provincia AS s_provincia, s.localidad AS s_localidad, s.fotografia AS s_fotografia, s.avatar AS s_avatar, s.avatar_mensajes AS s__avatar_mensajes, s.created_at AS s__created_at, s.updated_at AS s__updated_at, a.id AS a__id, a.user1_id AS a__user1_id, a.user2_id AS a__user2_id, a.estado AS a__estado FROM sf_guard_user s LEFT JOIN amigo_usuario a ON ((s.id = a.user2_id OR s.id = a.user1_id)) WHERE ((a.user2_id = ? OR a.user1_id = ?) AND s.id < ? AND a.estado LIKE ?) If i take that clause to phpmyadmin SQL tab i get this error 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? OR a.user1_id = ?) AND s.id < ? AND a.estado LIKE ?) LIMIT 0, 30' at line 1 Why i'm getting this error? Regards Javi

    Read the article

  • Spring 2.0.0/2.0.6 to 3.0.5 migration stories

    - by Pangea
    We are in the process of migrating to 3.0.5 of spring from 2.0.x. We mainly use spring in below scenarios custom scope: thread local scope persistence: jdbc+hibernate 3.6 (but moving to mix of ejb 3.0+jpa 2.0+hibernate, not sure if all 3 can co-exist in 1 app) transactions: local (but planning to use jta due to the necessity of using multiple persistence inits, and has to use ejb+jpa+hibernate in 1 single trans), declarative trans mgmt parent-child contexts cxf annotations+xml OracleLobHandler Resource/ResourceBundleMessageResource JSF/Facelets with FacesSpringVariableResolver ActiveMQ integration Quartz integration TaskExecutor JMX exporter HttpExporter/Invoker Appreciate if someone can share their experiences like what to watch out for head aches/pain points which ones to drop for better alternate choices in new 3.0.5 release Is it better to switch from commons/iscreen validator to Hibernate Validator (Spec impl) or Spring Validator Is there a bean mapping framework in spring that i can use instead of Dozer XSLT transformation helper: currently we have small homegrown framework to cache xslts during load. if spring can do that for me then I would like to drop this Encryption/Decryption support. Password generation support. Authentication with SALT any SAML (or claims based secur New ideas Suggestions Switch to latest version of aspectj Upgrade guide from 2.5 to 3.0.5

    Read the article

  • Disable validation in an object in Ruby on Rails

    - by J. Pablo Fernández
    I have an object which whether validation happens or not should depend on a boolean, or in another way, validation is optional. I haven't found a clean way to do it. What I'm currently doing is this (disclaimer: you cannot unsee, leave this page if you are too sensitive): def valid? if perform_validation super else super # Call valid? so that callbacks get called and things like encrypting passwords and generating salt in before_validation actually happen errors.clear # but then clear the errors true # and claim ourselves to be valid. This is super hacky! end end Any better ways? Before you point to the :if argument of many validations, this is for a user model which is using authlogic so it has a lot of validation rules. You can stop reading here if you belive me. If you don't, authlogic already sets some :ifs like: :if => :email_changed? which I have to turn into :if => Proc.new {|user| user.email_changed? and user.perform_validation} and in some other cases, since I'm also using authlogic-oid (OpenID) I just don't have control over the :if, authlogic-oid sets it in a way I cannot change it (in time) without further monkey patching. So I have to override seemingly unrelated functions, catch exceptions if a method doesn't exist, etc. The previous hacky solution if the best of my two attempts.

    Read the article

  • Credit Card storage solution

    - by jtnire
    Hi Everyone, I'm developing a solution that is designed to store membership details, as well as credit card details. I'm trying to comply with PCI DSS as much as I can. Here is my design so far: PAN = Primary account number == long number on credit card Server A is a remote server. It stores all membership details (Names, Address etc..) and provides indivudal Key A's for each PAN stored Server B is a local server, and actually holds the encrypted PANs, as well as Key B, and does the decryption. To get a PAN, the client has to authenticate with BOTH servers, ask Server A for the respective Key A, then give Key A to server B, which will return the PAN to the client (provided authentication was sucessful). Server A will only ever encrypt Key A with Server B's public Key, as it will have it beforehand. Server B will probably have to send a salt first though, however I doin't think that has to be encrypted I havn't really thought about any implementation (i.e. coding) specifics yet regarding the above, however the solution is using Java's Cajo framework (wrapper for RMI) so that is how the servers will communicate with each other (Currently, membership details are transfered in this way). The reason why I want Server B to do the decryption, and not the client, is that I am afraid of decryption keys going into the client's RAM, even though it's probably just as bad on the server... Can anyone see anything wrong with the above design? It doesn't matter if the above has to be changed. Thanks jtnire

    Read the article

  • How to detect a gamepad button press on OSX 10.5 and higher?

    - by Steph Thirion
    How do I detect a button press on a USB gamepad on OSX 10.5 and higher? I can't wrap my head around the ridiculously complex HID Manager (even though apparently it was simplified with 10.5), and the code samples at Apple have thousands of lines of code that would take days to understand and isolate what I need, so I'd appreciate if someone posts a simple, and fully coded solution for this isolated problem. EDIT: so far all answers are links to source code or semi obscure libraries for all kinds of HID devices, which will require more research time than what I'd like to invest on this. I am starting a bounty to get an actual snippet of code that solves this simple problem (using an external library or not). EDIT POS BOUNTY: thanks to all for you help; but unfortunately the answer that has been automatically selected by the system is not working for me, can't figure out why; and the author has not yet replied to my comments. Any insight would be appreciated, but until a fix is found, anyone looking for resources on this topic should take this answer with a pinch of salt.

    Read the article

  • How to store session values with Node.js and mongodb?

    - by Tirithen
    How do I get sessions working with Node.js, [email protected] and mongodb? I'm now trying to use connect-mongo like this: var config = require('../config'), express = require('express'), MongoStore = require('connect-mongo'), server = express.createServer(); server.configure(function() { server.use(express.logger()); server.use(express.methodOverride()); server.use(express.static(config.staticPath)); server.use(express.bodyParser()); server.use(express.cookieParser()); server.use(express.session({ store: new MongoStore({ db: config.db }), secret: config.salt })); }); server.configure('development', function() { server.use(express.errorHandler({ dumpExceptions: true, showStack: true })); }); server.configure('production', function() { server.use(express.errorHandler()); }); server.set('views', __dirname + '/../views'); server.set('view engine', 'jade'); server.listen(config.port); I'm then, in a server.get callback trying to use req.session.test = 'hello'; to store that value in the session, but it's not stored between the requests. It probobly takes something more that this to store session values, how? Is there a better documented module than connect-mongo?

    Read the article

  • Double hashing passwords - client & server

    - by J. Stoever
    Hey, first, let me say, I'm not asking about things like md5(md5(..., there are already topics about it. My question is this: We allow our clients to store their passwords locally. Naturally, we don't want them stored in plan text, so we hmac them locally, before storing and/or sending. Now, this is fine, but if this is all we did, then the server would have the stored hmac, and since the client only needs to send the hmac, not the plain text password, an attacker could use the stored hashes from the server to access anyone's account (in the catastrophic scenario where someone would get such an access to the database, of course). So, our idea was to encode the password on the client once via hmac, send it to the server, and there encode it a second time via hmac and match it against the stored, two times hmac'ed password. This would ensure that: The client can store the password locally without having to store it as plain text The client can send the password without having to worry (too much) about other network parties The server can store the password without having to worry about someone stealing it from the server and using it to log in. Naturally, all the other things (strong passwords, double salt, etc) apply as well, but aren't really relevant to the question. The actual question is: does this sound like a solid security design ? Did we overlook any flaws with doing things this way ? Is there maybe a security pattern for something like this ?

    Read the article

  • Kohana 3.2 - Database Session losing data on new Page Request

    - by reado
    I've setup my dev Kohana server to use an encrypted database as the default Session type. I'm also using this in combination with Auth to implement user authentication. Right now my user's are able to authenticate correctly and the authentication keys are being stored in the session. I'm also storing additional data like the user's firstname and businessname during the login procedure. When my login function is ready to redirect the user to the user dashboard, I'm able to see all the data correctly when I do $session::instance()->as_array(); (Array ( [auth_user] => NRyk6lA8 [businessname] => Dudetown [firstname] => Matt )) As soon as I redirect the user to another page, $session::instance()->as_array(); is empty. By dumping out the Session::instance() object, I can see that the Session id's are still the same. When I look at my database table though, i dont see any session records being saved and my session table is empty. My bootstrap.php contains: Session::$default = 'database'; Cookie::$salt = 'asdfasdf'; Cookie::$expiration = 1209600; Cookie::$domain = FALSE; and my session.php config file looks like: return array( 'database' => array( 'name' => 'auth_user', 'encrypted' => TRUE, 'lifetime' => 24 * 3600, 'group' => 'default', 'table' => 'sessions', 'columns' => array( 'session_id' => 'session_id', 'last_active' => 'last_active', 'contents' => 'contents' ), 'gc' => 500, ), ); I've looked high and low for an answer.. if anyone has any suggestions, i'm all ears! Thanks!

    Read the article

  • How does the receiver of a cipher text know the IV used for encryption?

    - by PatrickL
    If a random IV is used in encrypting plain text, how does the receiver of the cipher text know what the IV is in order to decrypt it? This is a follow-up question to a response to the previous stackoverflow question on IVs here. The IV allows for plaintext to be encrypted such that the encrypted text is harder to decrypt for an attacker. Each bit of IV you use will double the possibilities of encrypted text from a given plain text. The point is that the attacker doesn't know what the IV is and therefore must compute every possible IV for a given plain text to find the matching cipher text. In this way, the IV acts like a password salt. Most commonly, an IV is used with a chaining cipher (either a stream or block cipher). ... So, if you have a random IV used to encrypt the plain text, how do you decrypt it? Simple. Pass the IV (in plain text) along with your encrypted text. Wait. You just said the IV is randomly generated. Then why pass it as plain text along with the encrypted text?

    Read the article

< Previous Page | 7 8 9 10 11 12 13  | Next Page >