Search Results

Search found 497 results on 20 pages for 'xss prevention'.

Page 12/20 | < Previous Page | 8 9 10 11 12 13 14 15 16 17 18 19  | Next Page >

  • PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?

    - by Jeff
    I did a lot of searching and also read the PHP $_SERVER man page. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site? $_SERVER['SERVER_NAME'] is based on your web servers' config file (Apache2 in my case), and varies depending on a few directives: (1) VirtualHost, (2) ServerName, (3) UseCanonicalName, etc. $_SERVER['HTTP_HOST'] is based on the request from the client. Therefore, it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be $_SERVER['HTTP_HOST']. Is this assumption correct? Followup comments: I guess I got a little paranoid after reading this article and noting that someone said "they wouldn't trust any of the $_SERVER vars": http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/ and also: http://www.php.net/manual/en/reserved.variables.server.php (comment: Vladimir Kornea 14-Mar-2009 01:06) Apparently the discussion is mainly about $_SERVER['PHP_SELF'] and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks. My conclusion about my original question above is that it is "safe" to use $_SERVER['HTTP_HOST'] for all links on a site without having to worry about XSS attacks, even when used in forms. Please correct me if I'm wrong.

    Read the article

  • Parsing a complicated HTML table with PHP

    - by user2944979
    I successfully parsed a dynamic table with the following PHP code: $docH = new DOMDocument(); $docH->loadHTMLFile($url); //get everything inside the body element: $bodyH = $docH->getElementsByTagName('body')->item(0); foreach ($bodyH->childNodes as $childNode) { echo $docH->saveHTML($childNode); } Parsed HTML Table: <table> <tr> <td>5CG </td> <td>aass </td> <td>sxs </td> <td>sx </td> <td>EK </td> <td> </td> <td>72 </td> </tr> <td> </td> <td>samplxs </td> <td>xs </td> <td> </td> <td>xss </td> <td>fkxsx aus</td> <td>s </td> </tr> <td> </td> <td>5AH. </td> <td>ds </td> <td>d </td> <td>sdf </td> <td>sdfsdf aus</td> <td> </td> </tr> <tr> <td>6CG </td> <td>3. </td> <td>sfd </td> <td> </td> <td>scs </td> <td>das aus</td> <td>a </td> </tr> <tr> <td>7DG </td> <td>6. </td> <td>s </td> <td>s </td> <td>sD </td> <td>sdsa.</td> <td> </td> </tr> <td> </td> <td>samplxs </td> <td>xs </td> <td> </td> <td>xss </td> <td>fkxsx aus</td> <td>s </td> </tr> <tr> <td>7DG, 7CG, 7CR </td> <td>6. </td> <td>NsdR </td> <td>s </td> <td>SP </td> <td>fasdlt aus</td> <td>s </td> </tr> <td> </td> <td>samplxs </td> <td>xs </td> <td> </td> <td>xss </td> <td>fkxsx aus</td> <td>s </td> </tr> <tr> <td> 9BR </td> <td>6. </td> <td>FEI </td> <td>sa </td> <td>DE </td> <td>fasdad aus</td> <td> </td> </tr> <tr> <td>9AR, 9BR, 9CR</td> <td>62. </td> <td>BEH </td> <td> </td> <td>sd </td> <td>fasda aus</td> <td> </td> </tr> <tr> <td> </td> <td>6. </td> <td>MLR </td> <td> </td> <td>FdR </td> <td>fsdfaus</td> <td> </td> </tr> <tr> <td>E10C </td> <td>6. </td> <td>sdf </td> <td>d </td> <td>d </td> <td>fsdfs aus</td> <td> </td> </tr> <tr> </table> But my goal is to just show the content of the table the user wants by asking for just the <tr> elements in which the first <td> of the first <tr> includes some text until there is another <tr> which first <td> has a different content. For example: If the user types "9BR" into an input field, I just want him to see: <td> 9BR </td> <td>6. </td> <td>FEI </td> <td>sa </td> <td>DE </td> <td>fasdad aus</td> <td> </td> </tr> <tr> <td>9AR, 9BR, 9CR</td> <td>62. </td> <td>BEH </td> <td> </td> <td>sd </td> <td>fasda aus</td> <td> </td> </tr> <tr> <td> </td> <td>6. </td> <td>MLR </td> <td> </td> <td>FdR </td> <td>fsdfaus</td> <td> </td> </tr> If he types in 5CG: <tr> <td>5CG </td> <td>aass </td> <td>sxs </td> <td>sx </td> <td>EK </td> <td> </td> <td>72 </td> </tr> <td> </td> <td>samplxs </td> <td>xs </td> <td> </td> <td>xss </td> <td>fkxsx aus</td> <td>s </td> </tr> Or if 6CG just: <tr> <td>6CG </td> <td>3. </td> <td>sfd </td> <td> </td> <td>scs </td> <td>das aus</td> <td>a </td> </tr>

    Read the article

  • Will these security functions be enough? (PHP)

    - by ggfan
    I am trying to secure my site so I don't have sql injections and xss scripting. Here's my code. //here's the from, for brevity, i just show a field for users to put firstname <form> <label for="first_name" class="styled">First Name:</label> <input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br /> //submit button etc </form> if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //then insert into the database. ....... } mysqli_real_espace_string: I know that this func escapes certain letters like \n \r, so when the data gets inputted into the dbc, it would have '\' next to all the escaped letters? --Will this script be enough to prevent most sql injections? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: is_numeric(). --How should I use htmlspecialchars? Should I use it only when echoing and displaying user data? Or should I also use this too when inputting data to a dbc? --When should I use strip_tags() or htmlspecialchars? SOO with all these function... if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //gets rid of any <,>,& htmlspecialchars($first_name); //strips any tags with the first name strip_tags($first_name) //then insert into the database. ....... } Which funcs should I use for sql injections and which ones should I use for xss?

    Read the article

  • please upvote this.

    - by Behrooz
    Oops! Your question couldn't be submitted because: we're sorry, but as a spam prevention mechanism, new users aren't allowed to post images. Earn 10 reputation to post images. the only way for getting reputation is getting upvotes? And I'm not a sysadmin? and you help me?

    Read the article

  • What is the best Web Application Firewall for IIS?

    - by user30850
    What is the best Web Application Firewall(WAF) for IIS? What makes it better than the others? How useful is it at blocking attacks against poorly written code, otherwise known as an Intrusion Prevention System (IPS)? WAFs are required by the PCI-DSS, so if I have to get one, then it should the best one.

    Read the article

  • If DEP has stopped an app, is there a possibility to see this events in a log?

    - by Ice
    DEP (Microsofts Data Execution Prevention) stopps sometimes some apps and kills it out of memory. As an administrator, may i see such events in a log and if which one? My experience is that there is no user information as written in Help about DEP, user reported only that the desired app disappears from their screens. This happens on a Citrix-Server running on a windows-2003 R2 64-Bit Server.

    Read the article

  • Is there a way to automatically keep Chrome/Ask Tool Bar from installing?

    - by hydroparadise
    So of lately, I've had to warn my users to watch out for unwanted programs that are coming in with Adobe Flash and Java updates. Adobe seems to be pushing Google's Chrome and Java with the Ask.com Toolbar. I admit that it could be much worse because both instance simply require an uncheck during some point of the update process, but on a large scale, prevention is better than confrontation. Any suggestions?

    Read the article

  • Un smartphone est-il assez sécurisé pour stocker un dossier médical ? Des chercheurs veulent y stocker l'ADN de leurs propriétaires

    L'escalade des fonctionnalités offertes par les smartphones est-elle une bonne chose ? Des chercheurs veulent y stocker l'ADN de leurs propriétaires Une équipe de chercheurs travaillant à Bordeaux propose un nouvel "outil de prévention et de vigilance" qui fait débat. En effet, leur projet, qui a été conçu bénévolement et sur des fonds privés, propose de «produire un logiciel qui "digère" les données issues du séquençage du génome pour les transporter sur des plate-formes mobiles». Autrement dit, il s'agit d'entrer son ADN dans son smartphone ou sa tablette. Un procédé qui fait grand débat en France, alors qu'il est totalement banalisé dans d'autres pays. Ainsi, aux Etats-Unis, n'...

    Read the article

  • Javascript: Safely upload a client data file

    - by Jeffrey Sweeney
    I'm (still) working on a template-based XML editing program. It's a GUI-based XML editor that only allows users to add certain tags and attributes based off the requirements. You can see the current version here for an idea. Now, I'd like to allow users to upload their own data templates, but I'm concerned about potential XSS hacks. Currently, the template file is in Javascript object literal notation, which unsurprisingly is a security nightmare if the user can upload their own. I was thinking of using XML instead, but is there an even better alternative?

    Read the article

  • Silverlight Security

    Here are some interesting links about Silverlight security (I learnt a lot from the first document): Silverlight security whitepaper: > http://download.microsoft.com/download/A/1/A/A1A80A28-907C-4C6A-8036-782E3792A408/Silverlight Security Overview.docx This reading gives you a lot of insight into features like Isolated Storage, Local Messaging, Cross-Site Scripting (XSS), Sandbox, Validate input, https, . Shawn Wildermuths session at MIX10: > Securing Microsoft Silverlight Applications ...Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight. Take a look: here.

    Read the article

  • Request Validation in ASP.NET 4.0

    - by Ben Bastiaensen
    Up to ASP.NET 3.5 Request Validation is enabled by default. In order to to disable this for a page you needed to set the ValidationRequest property in the page directive to false. This is no longer the default case in ASP.NET 4.0. If you want to use this behaviour you need to add the follwing setting in web.config  <httpRuntime requestValidationMode="2.0" /> Of course you need to check all input in the page for XSS or other malicious input if you set the pages request validation to false.

    Read the article

  • Avoiding Hacker Trix

    - by Mike Benkovich
    Originally posted on: http://geekswithblogs.net/benko/archive/2014/08/20/avoiding-hacker-trix.aspxThis week we're doing a session called "Avoiding Hacker Trix" which goes thru some of the top web exploits that you should be aware of. In this webcast we will cover a variety of things including what we call the secure development process, cross site scripting attack, one click attack, SQL Injection and more. There are a bunch of links we cover, but rather than having you copy these down I'm providing them here... Links from the slide deck: Anti-XSS Library Download www.Fiddler2.com www.HelloSecureWorld.com Open Source Web Application Project - Top 10 Exploits Exploit: Cross Site Scripting - Paypal Exploit: SQL Injection - www.ri.gov Exploit: Cross Site Scripting - FTD Exploit: Insecure Direct Object Reference - Cahoots Exploit: Integer Overflow - Apple

    Read the article

  • Adsense Page impression is showing zero

    - by user2687
    Hi, i have created a new adsense account for my blog [link removed as is loaded with ads, popups and who knows what kind of XSS] and integrated ads with my blog. But i am getting page impressions zero. i am getting daily analytic's of 300 to 400 visitor/day still page impression are coming zero only. i have verified my pub-id. i don't no what is the problem. how to contact Google adsense team regarding this. please help me out in this. -Thanks

    Read the article

  • How to write a network game? [closed]

    - by Tom Wijsman
    Based on Why is so hard to develop a MMO?: Networked game development is not trivial; there are large obstacles to overcome in not only latency, but cheat prevention, state management and load balancing. If you're not experienced with writing a networked game, this is going to be a difficult learning exercise. I know the theory about sockets, servers, clients, protocols, connections and such things. Now I wonder how one can learn to write a network game: How to balance load problems? How to manage the game state? How to keep things synchronized? How to protect the communication and client from reverse engineering? How to work around latency problems? Which things should be computed local and which things on the server? ... Are there any good books, tutorials, sites, interesting articles or other questions regarding this? I'm looking for broad answers, but specific ones are fine too to learn the difference.

    Read the article

  • How to write a network game?

    - by TomWij
    Based on Why is so hard to develop a MMO?: Networked game development is not trivial; there are large obstacles to overcome in not only latency, but cheat prevention, state management and load balancing. If you're not experienced with writing a networked game, this is going to be a difficult learning exercise. I know the theory about sockets, servers, clients, protocols, connections and such things. Now I wonder how one can learn to write a network game: How to balance load problems? How to manage the game state? How to keep things synchronized? How to protect the communication and client from reverse engineering? How to work around latency problems? Which things should be computed local and which things on the server? ... Are there any good books, tutorials, sites, interesting articles or other questions regarding this? I'm looking for broad answers, but specific ones are fine too to learn the difference.

    Read the article

  • Why is better to use external JavaScript or libraries ; and is it prefered to use jquery meaning more security?

    - by shareef
    I read this article Unobtrusive JavaScript with jQuery and I noticed these points in the slide page 11 some companies strip JavaScript at the firewall some run the NoScript Firefox extension to protect themselves from common XSS and CSRF attacks many mobile devices ignore JavaScript entirely screen readers do execute JavaScript but accessibility issues mean you may not want them to I did not understand the fourth point. What does it mean? I need your comment and responses on these points. Is not using JavaScript and switching to libraries like jQuery worth it? UPDATE 1 : whats the meaning of Unobtrusive JavaScript with jQuery ? and yes it does not say we should use libraries but we should have them on external files for that reason i asked my question.

    Read the article

  • How can I force new windows to open in background & without focus?

    - by sup
    I have Opera set as my default browser but it is the same for Firefox. When opening a link in Liferea, the link opens in an external browser and the browser gets focus. I would like to open the links in background (so that the browser does not get focus). The only solution is to set Focus prevention level to Normal in the Focus & Raise Behaviour tab of General options in CCSM. But this messes things for other things. DO you have any other idea how to prevent new windows to have focus? I am using Unity on 11.10.

    Read the article

  • Photos - do I really need to look for the author and ask his permission when posting them on my site?

    - by user6456
    When I find a photo somewhere on the internet, without any explicit information of whether I can re-publish it on my own website, without any hint of who is the owner/author of that photo, can I still do it? I'm puzzled here cause I've seen like millions of websites, often very big, that repost photos, most probably found via google and it's VERY unlikely they bothered to look for and contact the author of that photos. Is every one of that sites likely to be sued at any moment? What about the case of forums and content provided by users - there is virtually no way of prevention here.

    Read the article

  • How to make safe and secure forms in asp.net MVC 3

    - by anirudha
    the asp.net application need all kind of security. unsecure forms may be influence by XSS [cross site scripting] there is some way to solve these type of problem in MVC. first sollution is that use <%= Html.AntiForgeryToken() %> for make secure from cross site scripting. it’s work by machine key in MVC. well you can valid them whenever you got respond from client. you can apply by this attribute on action you give the response behalf of form submission [ValidateAntiForgeryToken] you can secondly use authorize attribute where you can make own definition of authorize attribute in asp.net mvc for more info read david’s post well I am use my own custom attribute who use a different type of authorization :- the who controller use a attribute I put their and the attribute I put their have a logic and logic check the cookie in request who make sure that request they got from user.

    Read the article

  • Quality Assurance=inspections, reviews..?

    - by user970696
    Studying this subject extensively, the most books state the following: Quality Assurance: prevention activity. Act of inspection, reviewing.. Quality Control: testing While there are some exceptions that mention that QA deals with just processes (planning, strategy, standard application etc.) which is IMHO much closer to real QA, yet I cannot find any good reference in Google Books. I believe that inspections, reviews, testing is all quality control as it is about checking products, no matter if it is the final one or work products. The problem is that so many authors do not agree. I would be grateful for detailed explanation, ideally with a reference.

    Read the article

  • Chessin's principles of RAS design

    - by user12608173
    In late 2001 I developed an internal talk on designing hardware for easier error injection, prevention, diagnosis, and correction. (This talk became the basis for my paper on injecting errors for fun and profit.) In that talk (but not in the paper), I articulated 10 principles of RAS design, which I list for you here: Protect everything Correct where you can Detect where you can't Where protection not feasible (e.g., ALUs), duplicate and compare Report everything; never throw away RAS information Allow non-destructive inspection (logging/scrubbing) Allow non-destructive alteration (injection) (that is, only change the bits you want changed, and leave everything else as is) Allow observation of all the bits as they are (logging) Allow alteration of any particular bit or combination of bits (injection) Document everything Of course, it isn't always feasible to follow these rules completely all the time, but I put them out there as a starting point.

    Read the article

  • How can I make Liferea to open links in the background?

    - by sup
    I have Opera set as my default browser but it is the same for Firefox. When opening a link in Liferea, the link open in an external browser and the browser gets focus. I would like to open the links in background (so that the browser does not get focus). The only solution is to set Focus prevention level to Normal in the Focus & Raise Behaviour tab of General options in CCSM. But this messes things for other things. DO you have any other idea? I am using Unity on 11.10.

    Read the article

  • What framework for text rating site?

    - by problemofficer
    I want to start a "rate my"-style site. The rated objects are mostly texts. I want it to be rather simple. Features I need: object rating (thumb up, thumb down) object comments object tags related object presentation based on tags user authentication and management private message system sanity checks for text inputs (i.e. prevention of code injections) cache open source runs on GNU/Linux I would gladly take something that is tailored for my scenario but a generic framework would be fine too. I simply don't want to write stuff like user authentication that is been written a million times and risking security flaws. Programming language is irrelevant but python/php preferred.

    Read the article

  • Coverity publie Coverity Security Library, une bibliothèque open-source pour identifier les défauts de sécurité dans les applis Web Java

    Coverity publie Coverity Security Library Une bibliothèque open source pour identifier les défauts de sécurité les plus courants dans les applis Web Java Coverity, un des leaders du marché du test de développement, vient d'annoncer la création de la Coverity Security Library, un projet open source (disponible via GitHub et Maven) pour aider les développeurs à réparer les attaques de type cross-site scripting (XSS) dans les applications Web Java. Ce projet a été initié par le Security Research Laboratory de Coverity. Il s'agit d'une bibliothèque de fonctions de contournement et de codage gratuite. « Les développeurs peuvent ainsi réparer rapidement les problèmes les plus courants, qui p...

    Read the article

  • TFS and shared projects in multiple solutions

    - by David Stratton
    Our .NET team works on projects for our company that fall into distinct categories. Some are internal web apps, some are external (publicly facing) web apps, we also have internal Windows applications for our corporate office users, and Windows Forms apps for our retail locations (stores). Of course, because we hate code reuse, we have a ton of code that is shared among the different applications. Currently we're using SVN as our source control, and we've got our repository laid out like this: - = folder, | = Visual Studio Solution -SVN - Internet | Ourcompany.com | Oursecondcompany.com - Intranet | UniformOrdering website | MessageCenter website - Shared | ErrorLoggingModule | RegularExpressionGenerator | Anti-Xss | OrgChartModule etc... So.. The OurCompany.com solution in the Internet folder would have a website project, and it would also include the ErrorLoggingModule, RegularExpressionGenerator, and Anti-Xss projects from the shared directory. Similarly, our UniformOrdering website solution would have each of these projects included in the solution as well. We prefer to have a project reference to a .dll reference because, first of all, if we need to add or fix a function in the ErrorLoggingModule while working on the OurCompany.com website, it's right there. Also, this allows us to build each solution and see if changes to shared code break any other applications. This should work well on a build server as well if I'm correct. In SVN, there is no problem with this. SVN and Visual Studio aren't tied together in the way TFS's source control is. We never figured out how to work this type of structure in TFS when we were using it, because in TFS, the TFS project was always tied to a Visual Studio Solution. The Source Code repository was a child of the TFS Project, so if we wanted to do this, we had to duplicate the Shared code in each TFS project's source code repository. As my co-worker put it, this "breaks every known best practice about code reuse and simplicity". It was enough of a deal breaker for us that we switched to SVN. Now, however, we're faced with truly fixing our development processes, and the Application Lifecycle Management of TFS is pretty close to exactly what we want, and how we want to work. Our one sticking point is the shared code issue. We're evaluating other commercial and open source solutions, but since we're already paying for TFS with our MSDN Subscriptions, and TFS is pretty much exactly what we want, we'd REALLY like to find a way around this issue. Has anybody else faced this and come up with a solution? If you've seen an article or posting on this that you can share with me, that would help as well. As always, I'm open to answers like "You're looking at it all wrong, bonehead, HERE'S the way it SHOULD be done.

    Read the article

< Previous Page | 8 9 10 11 12 13 14 15 16 17 18 19  | Next Page >