php security - Page 13 - Developer IT

php.ini date.timezone usefulness?

- by Buttle Butkus

I'm not sure if this is a question for serverfault or stackoverflow but it seems like it has a lot to do with server config. We have a server in chicago and the server's clock is on chicago time. But since the business is located in California, it would seem to make sense to use pacific time. What happens when server time is Chicago, and php.ini directive date.timezone is set to "America/Los_Angeles"? How will that affect logs written to mysql, error logs, etc? I've looked at the Apache error log and, as I expected, the php directive does not affect it. Times are all servertime. Thanks.

Read the article

Security failure - This is not a secure document but has security embed parameters

- by dimitris mistriotis

I try to create a private version and therefore I used something like this in php: var scribd_doc = scribd.Document.getDoc( 28394353, 'xxx'); scribd_doc.addParam("use_ssl", true); scribd_doc.addParam('public', false); scribd_doc.grantAccess("cbccf6e7-1ff7-9034-8a7c-a0c2a5b225ed", <?php echo "'" . trim($_COOKIE['PHPSESSID']) . "'" ?>, <?php echo "'" . scribd_calculate_signature($documentID = '28394353', $sessionID = trim($_COOKIE['PHPSESSID']), $userID = "cbccf6e7-1ff7-9034-8a7c-a0c2a5b225ed") . "'" ?>); ... ... scribd_doc.write( 'embedded_flash' ); Which is the api of scribd for javascript with the addition of the signature. My result is the "Security failure - This is not a secure document but has security embed parameters" Error, which is not well documented. The document is set to private. Any ideas?

Read the article

[PHP.ini] Can't load mcrypt.dll dynamic library.

- by Kel

Hey guys, I'm trying to load this module: php_mcrypt.dll' Everything in the php.ini file is correct, see for yourself: extension_dir = "C:/PHP/5.2.13/ext" extension=php_mcrypt.dll The file exists in this path. And other modules are in there as well and are loaded successfully. It only has a problem with this particular module. I have a 64bit Windows XP, Apache 2.2, PHP 5.2.13... But i get this warning (error.log of Apache): PHP Warning: PHP Startup: Unable to load dynamic library 'C:/PHP/5.2.13/ext\php_mcrypt1.dll' - The specified module could not be found.\r\n in Unknown on line 0 PHP itself is working fine. But one of our applications needs this module and it throws me this ugly error. Why on earth does it show me two backslashes in the log file?

Read the article

Running PHP 5.1 and 5.2 on debian squeeze

- by Keil

I know that Debian Squeeze won't let me compile a PHP version (prior to 5.3.0). But I need them for migrating some tools: Joomla (1.0.10) and SugarCRM (4.2.1b). Actually, Joomla 1.0.10 can run on PHP 5.2, and SugarCRM on PHP 5.1. But both will complain running under PHP 5.3. So, I want to execute their upgrade process under their working PHP version, so after the upgrade, they may not complain anymore under PHP 5.3. FYI, Apache is not the only option I have as WebServer. Maybe I am wrong thinking this way, if so, please explain the differents steps I need. So the question is: How can I have these PHP versions running on Squeeze?

Read the article

Security in OBIEE 11g, Part 2

- by Rob Reynolds

Continuing the series on OBIEE 11g, our guest blogger this week is Pravin Janardanam. Here is Part 2 of his overview of Security in OBIEE 11g. OBIEE 11g Security Overview, Part 2 by Pravin Janardanam In my previous blog on Security, I discussed the OBIEE 11g changes regarding Authentication mechanism, RPD protection and encryption. This blog will include a discussion about OBIEE 11g Authorization and other Security aspects. Authorization: Authorization in 10g was achieved using a combination of Users, Groups and association of privileges and object permissions to users and Groups. Two keys changes to Authorization in OBIEE 11g are: Application Roles Policies / Permission Groups Application Roles are introduced in OBIEE 11g. An application role is specific to the application. They can be mapped to other application roles defined in the same application scope and also to enterprise users or groups, and they are used in authorization decisions. Application roles in 11g take the place of Groups in 10g within OBIEE application. In OBIEE 10g, any changes to corporate LDAP groups require a corresponding change to Groups and their permission assignment. In OBIEE 11g, Application roles provide insulation between permission definitions and corporate LDAP Groups. Permissions are defined at Application Role level and changes to LDAP groups just require a reassignment of the Group to the Application Roles. Permissions and privileges are assigned to Application Roles and users in OBIEE 11g compared to Groups and Users in 10g. The diagram below shows the relationship between users, groups and application roles. Note that the Groups shown in the diagram refer to LDAP Groups (WebLogic Groups by default) and not OBIEE application Groups. The following screenshot compares the permission windows from Admin tool in 10g vs 11g. Note that the Groups in the OBIEE 10g are replaced with Application Roles in OBIEE 11g. The same is applicable to OBIEE web catalog objects. The default Application Roles available after OBIEE 11g installation are BIAdministrator, BISystem, BIConsumer and BIAuthor. Application policies are the authorization policies that an application relies upon for controlling access to its resources. An Application Role is defined by the Application Policy. The following screenshot shows the policies defined for BIAdministrator and BISystem Roles. Note that the permission for impersonation is granted to BISystem Role. In OBIEE 10g, the permission to manage repositories and Impersonation were assigned to “Administrators” group with no control to separate these permissions in the Administrators group. Hence user “Administrator” also had the permission to impersonate. In OBI11g, BIAdministrator does not have the permission to impersonate. This gives more flexibility to have multiple users perform different administrative functions. Application Roles, Policies, association of Policies to application roles and association of users and groups to application roles are managed using Fusion Middleware Enterprise Manager (FMW EM). They reside in the policy store, identified by the system-jazn-data.xml file. The screenshots below show where they are created and managed in FMW EM. The following screenshot shows the assignment of WebLogic Groups to Application Roles. The following screenshot shows the assignment of Permissions to Application Roles (Application Policies). Note: Object level permission association to Applications Roles resides in the RPD for repository objects. Permissions and Privilege for web catalog objects resides in the OBIEE Web Catalog. Wherever Groups were used in the web catalog and RPD has been replaced with Application roles in OBIEE 11g. Following are the tools used in OBIEE 11g Security Administration: · Users and Groups are managed in Oracle WebLogic Administration console (by default). If WebLogic is integrated with other LDAP products, then Users and Groups needs to managed using the interface provide by the respective LDAP vendor – New in OBIEE 11g · Application Roles and Application Policies are managed in Oracle Enterprise Manager - Fusion Middleware Control – New in OBIEE 11g · Repository object permissions are managed in OBIEE Administration tool – Same as 10g but the assignment is to Application Roles instead of Groups · Presentation Services Catalog Permissions and Privileges are managed in OBI Application administration page - Same as 10g but the assignment is to Application Roles instead of Groups Credential Store: Credential Store is a single consolidated service provider to store and manage the application credentials securely. The credential store contains credentials that either user supplied or system generated. Credential store in OBIEE 10g is file based and is managed using cryptotools utility. In 11g, Credential store can be managed directly from the FMW Enterprise Manager and is stored in cwallet.sso file. By default, the Credential Store stores password for deployed RPDs, BI Publisher data sources and BISystem user. In addition, Credential store can be LDAP based but only Oracle Internet Directory is supported right now. As you can see OBIEE security is integrated with Oracle Fusion Middleware security architecture. This provides a common security framework for all components of Business Intelligence and Fusion Middleware applications.

Read the article

What’s New In Microsoft Security Essentials 2.0 And How To Upgrade To 2.0

- by Gopinath

Since Microsoft released Microsoft Security Essentials(MSE) couple of years ago, I stopped worrying about antivirus programs on all my Windows PCs. MSE is just awesome and it’s the best free antivirus available in the market. Microsoft released version 2.0 of MSE yesterday with enhanced security features and more love for Windows users. New features introduced in this version are New protection engine - Heuristic scanning engine is introduced to bump the virus detection and cleaning mechanism. Network inspection system to monitor network traffic as we browse and protects us from malicious scripts and programs. Better integration with Windows Firewall With this upgrade, MSE is irresistible antivirus application to have on every Windows PC. How To Upgrade MSE 1.0 to 2.0 Generally upgrading Microsoft applications are kids play. All one would require to upgrade is to go to Help->Check for upgrades menu option and follow the wizard to complete upgrade process. Microsoft Security Essentials 1.0 to 2.0 upgrade is also expected to be this way, but somehow it’s not working for me in India. May be I guess, MSE 2.0 is not released for Indian users. What ever may be the reason, it’s very easy to upgrade MSE 1.0 to 2.0 manually. Just download the installer from Microsoft(link given below) and run the installer. Choose Upgrade option when the installer is executing to have MSE 2.0 installed on your PC. MSE 2.0 Download Link You can download Microsoft Security Essentials 2.0 at Microsoft Download Center. This article titled,What’s New In Microsoft Security Essentials 2.0 And How To Upgrade To 2.0, was originally published at Tech Dreams. Grab our rss feed or fan us on Facebook to get updates from us.

Read the article

Steps to Mitigate Database Security Worst Practices

- by Troy Kitch

The recent Top 6 Database Security Worst Practices webcast revealed the Top 6, and a bonus 7th , database security worst practices: Privileged user "all access pass" Allow application bypass Minimal and inconsistent monitoring/auditing Not securing application data from OS-level user No SQL injection defense Sensitive data in non-production environments Not securing complete database environment These practices are uncovered in the 2010 IOUG Data Security Survey. As part of the webcast we looked at each one of these practices and how you can mitigate them with the Oracle Defense-in-Depth approach to database security. There's a lot of additional information to glean from the webcast, so I encourage you to check it out here and see how your organization measures up.

Read the article

SQLAuthority News – 2 Security Updates for SQL Server 2000 SP 4 Users

- by pinaldave

If you are using SQL Server 2000 still today my very first recommendation to you is to upgrade to SQL Server 2012. SQL Server 2000 is now 12 years old product and since then many new enhancements as well features which are relevant to current growth and progress in Informational Industry. Now is the time to catch up with the latest trends. Here is one more point for you to notice if this helps you consider to upgrade to the latest version. One can’t upgrade directly from SQL Server 2000 to SQL Server 2012. You need to first upgrade to either SQL Server 2005/2008/R2 and then further plan to upgrade to SQL Server 2012. There is no direct upgrade path for SQL Server 2000 to SQL Server 2012. I strongly believe this is the time to upgrade to the latest version. Well, also there is a rule that to let something continue if it is not broken and working fine. If you are following that rule and still using SQL Server 2000 I strongly suggest that you upgrade your SQL Server 2000 SP4 and update it with latest Security updates. Here are two important SQL Server Security Updates. Security Update for SQL Server 2000 Service Pack 4 (KB983811) Security Update for SQL Server 2000 Service Pack 4 (KB983812) As we are talking about SQL Server 2000 let me ask you a quick question – how many of you are still using SQL Server 2000 or earlier version in a production system on at least one server? Reference: Pinal Dave (http://blog.sqlauthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Download, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

Read the article

Web security course ?

- by vtortola

I'd like to do a course about web security. I've seen some certifications that could be interesting: CIW Web Security Professional CISSP® - Certified Information Systems Security Professional Certified Secure Software Lifecycle Professional What do you know about these certifications? are they recognized? I'm not trying to become a hacker, I just want to ensure I have enough knowledge about web security to cope with today internet. From my inexpert point of view, "Certified Secure Software Lifecycle Professional" looks exactly as I want, the problem is that it cost more than 500 bucks! Why certification? well, I want to learn but I would like also have a way to demonstrate to a future employer/customer that I had to study and pass exams, not only attend to a course. Regards.

Read the article

Tech Article: Customizing Security for Oracle WebLogic Server MBeans

- by OracleTechnologyNetwork

A quick tour of your options for ensuring security for JMX operations in Oracle WebLogic Server

Read the article

Security aspects of an ASP.NET that can be pointed out to the client

- by Maxim V. Pavlov

I need to write several passages of text in an offer to the client about the security layer in ASP.NET MVC web solution. I am aware of security that comes along with MVC 3 and an improvements in MVC 4. But all of them are non conceptual, except for AntiForgeryToken (AntiXSS) and built-in SQL Injection immunity (with a little of encoding needed by hand). What would be the main point of ASP.NET security I can "show off" in an offer to the client?

Read the article

Open Source Security packages for Rails

- by Edwin

I'm currently creating a complete web application using Rails 3 to familiarize myself with its inner workings and to gain a better appreciation of a working web application's moving parts. (Plus, since I'm still working on my degree, I hope that it will give me a better idea of what's BS in my education requirements and which weaknesses/skills I should focus on.) The example application I'm working on is an ecommerce site, and I've already configured the backend, routes, controllers, and so on. As part of the application, I'd like to integrate a second layer of security on top of the one Rails already provides for user authentication. However, I've been unable to find any on Google, with the exception of OAuth - which, from my understanding, is meant to secure API calls. While I could roll my own secure authentication system, I'm only in my second year of college and recognize that A) I know little about security, and B) there are developers that know much more about security that are working on open-source projects. What are some actively developed open-source security packages or frameworks that can be easily added to Rails? Pros and cons are not necessary, as I can do the research myself. P.S. I'm not sure whether I posted this in the right SE site; please migrate to SO or Security if it is more appropriate there.

Read the article

j2ee implementing security and using a framwork pros and cons

- by Ismail Marmoush

I'm a newbie to j2ee security, and i'm not j2ee expert either, though i'm really willing to put some effort and learn I've an application that i'm about to develop on Google App Engine (GAE) --with no time constraints. As you know GAE handles a lot of web container security issues for you, also I will be using openID for authentication exclusively (sessions will be handled by provider). GAE supports SSL which will help with confidentiality and integrity maybe. Authorization can be done through filters. I know reinventing the wheel is a mess, but I was looking forward to learn something about security and implement that in my new app. so what the pros and cons of using a framework like shiro, spring security, jguard etc or filling the rest of gaps on my own ?

Read the article

Weaknesses of 3-Strike Security

- by prelic

I've been reading some literature on security, specifically password security/encryption, and there's been one thing that I've been wondering: is the 3-strike rule a perfect solution to password security? That is, if the number of password attempts is limited to some small number, after which all authentication requests will not be honored, will that not protect users from intrusion? I realize gaining access or control over something doesn't always mean going through the authentication system, but doesn't this feature make dictionary/brute-force attacks obsolete? Is there something I'm missing?

Read the article

extra configuration needed after installing SSL certificate?

- by ptriek

We recently developed two rather simple PHP applications for AXA (European bank). URL's are axa.tfo.be/incentives/cipres and axa.tfo.be/incentives/zrkk (access to both sites is restricted to visitors with cookies with encrypted passwords) On a previous security audit by an external company several security issues have been found. All these issues have been solved by a collleague PHP developer. However, one last requirement has been added - all data should be transfered over https. My php collegue is on holiday, however - and unavailable at the moment. So I contacted my host, and asked for installing SSL certificate. I myself have no knowledge/experience with SSL, so I'm a bit at loss for the following problems. Comodo SSL certificate + unique IP address has been installed today by my webhost for subdomain axa.tfo.be (by www.combell.be). However, it doesn't seem to be working. I posted a question about this earlier today, and was told not to worry, see link: http://serverfault.com/questions/339320/what-happens-if-you-install-an-ssl-certificate Current problems: the web applications aren't accessible over https, http works though (if a valid cookie is available) there's a static html page at http://axa.tfo.be/incentives/cipres/static.html, even that page is only accessible over http My webhost is telling me that 'my application probably doesn't support SSL', and has asked me to set an SSL variable to true in my php code. So my questions: I have basic knowledge of php, but don't know where to start regarding the 'php ssl variable'. The sites have been online for some time, and have been developed for regular php access. (Google didn't bring me any help, either.) Can anyone point me in the right direction, or give me some clues about whether/what I should ask my webhost for further assistance? (I'm a bit on a tight schedule, the sites will be audited again on monday, and it's a customer i wouldn't want to loose...) Thanks for looking into this, and sorry if my questions sound a bit nooby - I'm a webdesigner, not a server specialist...

Read the article

Monday, Oct 1 at OpenWorld - Database Security Must See Sessions

- by Troy Kitch

TIME TITLE LOCATION 12:15 - 1:15 PM Database Security Inside-Out: Latest Innovations in Database Security (CON8686) Moscone South - 102 3:15 - 4:15 PM Oracle Database Security Solutions Customer Panel: Real-World Case Studies (CON8674) Moscone South - 270 4:45 - 5:45 PM Latest Innovations and Best Practices for Oracle Database Auditing (CON8661) Moscone South - 303

Read the article

Redirecting to a dynamic page

- by binarydev

I have a page displaying blog posts (latest_posts.php) and another page that display single blog posts (blog.php) . I intend to link the image title in latest_posts.php so that it redirects to blog.php where it would display the particular post that was clicked. latest_posts.php:  <h2 class="underline"> <span>What's new</span> <span></span> </h2>   <ul class="post-list post-list-1"> <?php /* Fetches Date/Time, Post Content and title */ include 'dbconnect.php'; $sql = "SELECT * FROM wp_posts"; $res = mysql_query($sql); while ( $row = mysql_fetch_array($res) ) { ?>  <li class="clear-fix">  <div class="post-list-date"> <div class="post-date-box"> <?php //Timestamp broken down to show accordingly $timestamp = $row['post_date']; $datetime = new DateTime($timestamp); $date = $datetime->format("d"); $month = $datetime->format("M"); ?> <h3> <?php echo $date; ?> </h3> <span> <?php echo $month; ?> </span> </div> </div>   <div class="post-list-image">  <div class="image image-overlay-url image-fancybox-url"> <a href="post.php" class="preloader-image"> <?php echo '<img src="', $row['image'], '" alt="' , $row['post_title'] , '\'s Blog Image" />'; ?> </a> </div>  </div>   <div class="post-list-content"> <div>  <h4> <a href="post.php? . $row['ID'] . "> <?php echo $row['post_title']; ?> </a> </h4>   <p> <?php echo $row ['post_content']; }?> </p>  </div> </div>  </li>  </ul>  <a href="blog.php" class="button-browse">Browse All Posts</a> </div> <?php require_once('include/twitter_user_timeline.php'); ?> blog.php: <?php require_once('include/header.php'); ?> <body class="blog"> <?php require_once('include/navigation_bar_blog.php'); ?> <div class="blog"> <div class="main">  <h2 class="underline"> <span>What's new</span> <span></span> </h2>   <div class="layout-p-66x33 clear-fix">    <ul class="post-list post-list-2"> <?php /* Fetches Date/Time, Post Content and title with Pagination */ include 'dbconnect.php'; //sets to default page if(empty($_GET['pn'])){ $page=1; } else { $page = $_GET['pn']; } // Index of the page $index = ($page-1)*3; $sql = "SELECT * FROM `wp_posts` ORDER BY `post_date` DESC LIMIT " . $index . " ,3"; $res = mysql_query($sql); //Loops through the values while ( $row = mysql_fetch_array($res) ) { ?>  <li class="clear-fix">  <div class="post-list-date"> <div class="post-date-box"> <?php //Timestamp broken down to show accordingly $timestamp = $row['post_date']; $datetime = new DateTime($timestamp); $date = $datetime->format("d"); $month = $datetime->format("M"); ?> <h3> <?php echo $date; ?> </h3> <span> <?php echo $month; ?> </span> </div> </div>   <div class="post-list-image">  <div class="image image-overlay-url image-fancybox-url"> <a href="post.php" class="preloader-image"> <?php echo '<img src="', $row['image'], '" alt="' , $row['post_title'] , '\'s Blog Image" />'; ?> </a> </div>  </div>   <div class="post-list-content"> <div> <?php $id = $_GET['ID']; $post = lookup_post_somehow($id); if($post) { // render post } else { echo 'blog post not found..'; } ?>  <h4> <a href="post.php"> <?php echo $row['post_title']; ?> </a> </h4>   <p> <?php echo $row ['post_content']; ?> </p>  </div> </div>  </li>  <?php } // close while loop ?> </ul>  <div> <ul class="blog-pagination clear-fix"> <?php //Count the number of rows $numberofrows = mysql_query("SELECT COUNT(ID) FROM `wp_posts`"); //Do ciel() to round the result according to number of posts $postsperpage = 4; $numOfPages = ceil($numberofrows / $postsperpage); for($i=1; $i < $numOfPages; $i++) { //echos links for each page $paginationDisplay = '<li><a href="blog.php?pn=' . $i . '">' . $i . '</a></li>'; echo $paginationDisplay; } ?>  </ul> </div>   </div>  </div> </div> <?php require_once('include/twitter_user_timeline.php'); ?> <?php require_once('include/footer_blog.php'); ?> How do I render?

Read the article

PHP create page as a string after PHP runs

- by John

I'm stuck on how to write the test.php page result (after php has run) to a string: testFunctions.php: <?php function htmlify($html, $format){ if ($format == "print"){ $html = str_replace("<", "<", $html); $html = str_replace(">", ">", $html); $html = str_replace(" ", "&nbsp;", $html); $html = nl2br($html); return $html; } }; $input = <<<HTML <div style="background color:#959595; width:400px;">  <br> input <b>text</b> <br>  </div> HTML; function content($input, $mode){ if ($mode =="display"){ return $input; } else if ($mode =="source"){ return htmlify($input, "print"); }; }; function pagePrint($page){ $a = array( 'file_get_contents' => array($page), 'htmlify' => array($page, "print") ); foreach($a as $func=>$args){ $x = call_user_func_array($func, $args); $page .= $x; } return $page; }; $file = "test.php"; ?> test.php: <?php include "testFunctions.php"; ?> <br><hr>here is the rendered html:<hr> <?php $a = content($input, "display"); echo $a; ?> <br><hr>here is the source code:<hr> <?php $a = content($input, "source"); echo $a; ?> <br><hr>here is the source code of the entire page after the php has been executed:<hr> <div style="margin-left:40px; background-color:#ebebeb;"> <?php $a = pagePrint($file); echo $a; ?> </div> I'd like to keep all the php in the testFunctions.php file, so I can place simple function calls into templates for html emails. Thanks!

Read the article

Spring security request matcher is not working with regex

- by Felipe Cardoso Martins

Using Spring MVC + Security I have a business requirement that the users from SEC (Security team) has full access to the application and FRAUD (Anti-fraud team) has only access to the pages that URL not contains the words "block" or "update" with case insensitive. Bellow, all spring dependencies: $ mvn dependency:tree | grep spring [INFO] +- org.springframework:spring-webmvc:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-asm:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-beans:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-context:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-context-support:jar:3.1.2.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework:spring-core:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework:spring-web:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework.security:spring-security-core:jar:3.1.2.RELEASE:compile [INFO] | \- org.springframework:spring-aop:jar:3.0.7.RELEASE:compile [INFO] +- org.springframework.security:spring-security-web:jar:3.1.2.RELEASE:compile [INFO] | +- org.springframework:spring-jdbc:jar:3.0.7.RELEASE:compile [INFO] | \- org.springframework:spring-tx:jar:3.0.7.RELEASE:compile [INFO] +- org.springframework.security:spring-security-config:jar:3.1.2.RELEASE:compile [INFO] +- org.springframework.security:spring-security-acl:jar:3.1.2.RELEASE:compile Bellow, some examples of mapped URL path from spring log: Mapped URL path [/index] onto handler 'homeController' Mapped URL path [/index.*] onto handler 'homeController' Mapped URL path [/index/] onto handler 'homeController' Mapped URL path [/cellphone/block] onto handler 'cellphoneController' Mapped URL path [/cellphone/block.*] onto handler 'cellphoneController' Mapped URL path [/cellphone/block/] onto handler 'cellphoneController' Mapped URL path [/cellphone/confirmBlock] onto handler 'cellphoneController' Mapped URL path [/cellphone/confirmBlock.*] onto handler 'cellphoneController' Mapped URL path [/cellphone/confirmBlock/] onto handler 'cellphoneController' Mapped URL path [/user/update] onto handler 'userController' Mapped URL path [/user/update.*] onto handler 'userController' Mapped URL path [/user/update/] onto handler 'userController' Mapped URL path [/user/index] onto handler 'userController' Mapped URL path [/user/index.*] onto handler 'userController' Mapped URL path [/user/index/] onto handler 'userController' Mapped URL path [/search] onto handler 'searchController' Mapped URL path [/search.*] onto handler 'searchController' Mapped URL path [/search/] onto handler 'searchController' Mapped URL path [/doSearch] onto handler 'searchController' Mapped URL path [/doSearch.*] onto handler 'searchController' Mapped URL path [/doSearch/] onto handler 'searchController' Bellow, a test of the regular expressions used in spring-security.xml (I'm not a regex speciality, improvements are welcome =]): import java.util.Arrays; import java.util.List; public class RegexTest { public static void main(String[] args) { List<String> pathSamples = Arrays.asList( "/index", "/index.*", "/index/", "/cellphone/block", "/cellphone/block.*", "/cellphone/block/", "/cellphone/confirmBlock", "/cellphone/confirmBlock.*", "/cellphone/confirmBlock/", "/user/update", "/user/update.*", "/user/update/", "/user/index", "/user/index.*", "/user/index/", "/search", "/search.*", "/search/", "/doSearch", "/doSearch.*", "/doSearch/"); for (String pathSample : pathSamples) { System.out.println("Path sample: " + pathSample + " - SEC: " + pathSample.matches("^.*$") + " | FRAUD: " + pathSample.matches("^(?!.*(?i)(block|update)).*$")); } } } Bellow, the console result of Java class above: Path sample: /index - SEC: true | FRAUD: true Path sample: /index.* - SEC: true | FRAUD: true Path sample: /index/ - SEC: true | FRAUD: true Path sample: /cellphone/block - SEC: true | FRAUD: false Path sample: /cellphone/block.* - SEC: true | FRAUD: false Path sample: /cellphone/block/ - SEC: true | FRAUD: false Path sample: /cellphone/confirmBlock - SEC: true | FRAUD: false Path sample: /cellphone/confirmBlock.* - SEC: true | FRAUD: false Path sample: /cellphone/confirmBlock/ - SEC: true | FRAUD: false Path sample: /user/update - SEC: true | FRAUD: false Path sample: /user/update.* - SEC: true | FRAUD: false Path sample: /user/update/ - SEC: true | FRAUD: false Path sample: /user/index - SEC: true | FRAUD: true Path sample: /user/index.* - SEC: true | FRAUD: true Path sample: /user/index/ - SEC: true | FRAUD: true Path sample: /search - SEC: true | FRAUD: true Path sample: /search.* - SEC: true | FRAUD: true Path sample: /search/ - SEC: true | FRAUD: true Path sample: /doSearch - SEC: true | FRAUD: true Path sample: /doSearch.* - SEC: true | FRAUD: true Path sample: /doSearch/ - SEC: true | FRAUD: true Tests Scenario 1 Bellow, the important part of spring-security.xml: <security:http entry-point-ref="entryPoint" request-matcher="regex"> <security:intercept-url pattern="^.*$" access="ROLE_SEC" /> <security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" /> <security:access-denied-handler error-page="/access-denied.html" /> <security:form-login always-use-default-target="false" login-processing-url="/doLogin.html" authentication-failure-handler-ref="authFailHandler" authentication-success-handler-ref="authSuccessHandler" /> <security:logout logout-url="/logout.html" success-handler-ref="logoutSuccessHandler" /> </security:http> Behaviour: FRAUD group **can't" access any page SEC group works fine Scenario 2 NOTE that I only changed the order of intercept-url in spring-security.xml bellow: <security:http entry-point-ref="entryPoint" request-matcher="regex"> <security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" /> <security:intercept-url pattern="^.*$" access="ROLE_SEC" /> <security:access-denied-handler error-page="/access-denied.html" /> <security:form-login always-use-default-target="false" login-processing-url="/doLogin.html" authentication-failure-handler-ref="authFailHandler" authentication-success-handler-ref="authSuccessHandler" /> <security:logout logout-url="/logout.html" success-handler-ref="logoutSuccessHandler" /> </security:http> Behaviour: SEC group **can't" access any page FRAUD group works fine Conclusion I did something wrong or spring-security have a bug. The problem already was solved in a very bad way, but I need to fix it quickly. Anyone knows some tricks to debug better it without open the frameworks code? Cheers, Felipe

Read the article

how to implement ws-security 1.1 in php5

- by Sam Segers

I'm trying to call a webservice with Soap in PHP5, for this, I need to use WS-Security 1.1. (In java and .NET this is all generated automatically.) Are there any frameworks available to generate the security headers easily in PHP? Or do I have to add the entire header myself ? Specifications of WS-Security 1.1: http://oasis-open.org/committees/download.php/16790/wss-1.1-spec-os-SOAPMessageSecurity.pdf

Read the article

PHP Sockets Not Working

- by isurulucky

Hi, I switched from Lighttpd server to WAMP and then found sockets in php are not working. But php is configured and working. (phpinfo() works) I removed the comment for the php_sockets.dll in php.ini @ C:\wamp\bin\php\php5.2.5.but still gives the error "Fatal error: Call to undefined function socket_create()". Any more configurations to do to enable sockets in php in WAMP? (php_sockets.dll is there as well, I've checked) Thank You!

Read the article

Connecting to SQL Server in Php - Extension Err

- by John Doe

<html> <head> <title>Connecting </title> </head> <body> <?php $host = "*.*.*.*"; $username = "xxx"; $password = "xxx"; $db_name = "xxx"; $db = mssql_connect($host, $username,$password) or die("Couldnt Connect"); $selected = mssql_select_db($db_name, $db) or die("Couldnt open database"); ?> </body> </html> My error message is: Fatal error: Call to undefined function mssql_connect() in C:\wamp\www\php\dbase.php on line 12 I am using WampServer 2.0 on Php 5.3.0 When I check the extensions, php_mssql is Checked. I also checked the php.ini file to make sure it is not commented out. I have my file dbase.php saved in C:\wamp\www\php. I have tried stopping the service, closing everything, and running it again. I know the problem is that the extension file is not being included somehow. The below is copied from my php.ini file. Note I made all http = /http to avoid posting Links. ;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; ;;;;;;;;;;;;;;;;;;;;;;;;; ; UNIX: "/path1:/path2" ;include_path = ".:/php/includes" ; Windows: "\path1;\path2" include_path = "C:\wamp\bin\php\php5.3.0\ext" ; ; PHP's default setting for include_path is ".;/path/to/php/pear" ; /http://php.net/include-path ; The root of the PHP pages, used only if nonempty. ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root ; if you are running php as a CGI under any web server (other than IIS) ; see documentation for security issues. The alternate is to use the ; cgi.force_redirect configuration below ; /http://php.net/doc-root doc_root = ; The directory under which PHP opens the script using /~username used only ; if nonempty. ; /http://php.net/user-dir user_dir = ; Directory in which the loadable extensions (modules) reside. ; /http://php.net/extension-dir ; extension_dir = "./" ; On windows: ; extension_dir = "ext" extension_dir = "c:/wamp/bin/php/php5.3.0/ext/" ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically ; disabled on them. ; /http://php.net/enable-dl enable_dl = Off ; cgi.force_redirect is necessary to provide security running PHP as a CGI under ; most web servers. Left undefined, PHP turns this on by default. You can ; turn it off here AT YOUR OWN RISK ; You CAN safely turn this off for IIS, in fact, you MUST. ; /http://php.net/cgi.force-redirect ;cgi.force_redirect = 1 ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with ; every request. PHP's default behavior is to disable this feature. ;cgi.nph = 1 ; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP ; will look for to know it is OK to continue execution. Setting this variable MAY ; cause security issues, KNOW WHAT YOU ARE DOING FIRST. ; /http://php.net/cgi.redirect-status-env ;cgi.redirect_status_env = ; ; cgi.fix_pathinfo provides real PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; /http://php.net/cgi.fix-pathinfo ;cgi.fix_pathinfo=1 ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate ; security tokens of the calling client. This allows IIS to define the ; security context that the request runs under. mod_fastcgi under Apache ; does not currently support this feature (03/17/2002) ; Set to 1 if running under IIS. Default is zero. ; /http://php.net/fastcgi.impersonate ;fastcgi.impersonate = 1; ; Disable logging through FastCGI connection. PHP's default behavior is to enable ; this feature. ;fastcgi.logging = 0 ; cgi.rfc2616_headers configuration option tells PHP what type of headers to ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that ; is supported by Apache. When this option is set to 1 PHP will send ; RFC2616 compliant header. ; Default is zero. ; /http://php.net/cgi.rfc2616-headers ;cgi.rfc2616_headers = 0 ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; ; Whether to allow HTTP file uploads. ; /http://php.net/file-uploads file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). ; /http://php.net/upload-tmp-dir upload_tmp_dir = "c:/wamp/tmp" ; Maximum allowed size for uploaded files. ; /http://php.net/upload-max-filesize upload_max_filesize = 2M Also, my php.ini file is saved in: C:\wamp\bin\apache\Apache2.2.11\bin

Read the article

Connecting to mssql in Php - Extension Err

- by John Doe

<html> <head> <title>Connecting </title> </head> <body> <?php $host = "*.*.*.*"; $username = "xxx"; $password = "xxx"; $db_name = "xxx"; $db = mssql_connect($host, $username,$password) or die("Couldnt Connect"); $selected = mssql_select_db($db_name, $db) or die("Couldnt open database"); ?> </body> </html> My error message is: Fatal error: Call to undefined function mssql_connect() in C:\wamp\www\php\dbase.php on line 12 I am using WampServer 2.0 on Php 5.3.0 When I check the extensions, php_mssql is Checked. I also checked the php.ini file to make sure it is not commented out. I have my file dbase.php saved in C:\wamp\www\php. I have tried stopping the service, closing everything, and running it again. I know the problem is that the extension file is not being included somehow. The below is copied from my php.ini file. Note I made all http = /http to avoid posting Links. ;;;;;;;;;;;;;;;;;;;;;;;;; ; Paths and Directories ; ;;;;;;;;;;;;;;;;;;;;;;;;; ; UNIX: "/path1:/path2" ;include_path = ".:/php/includes" ; Windows: "\path1;\path2" include_path = "C:\wamp\bin\php\php5.3.0\ext" ; ; PHP's default setting for include_path is ".;/path/to/php/pear" ; /http://php.net/include-path ; The root of the PHP pages, used only if nonempty. ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root ; if you are running php as a CGI under any web server (other than IIS) ; see documentation for security issues. The alternate is to use the ; cgi.force_redirect configuration below ; /http://php.net/doc-root doc_root = ; The directory under which PHP opens the script using /~username used only ; if nonempty. ; /http://php.net/user-dir user_dir = ; Directory in which the loadable extensions (modules) reside. ; /http://php.net/extension-dir ; extension_dir = "./" ; On windows: ; extension_dir = "ext" extension_dir = "c:/wamp/bin/php/php5.3.0/ext/" ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically ; disabled on them. ; /http://php.net/enable-dl enable_dl = Off ; cgi.force_redirect is necessary to provide security running PHP as a CGI under ; most web servers. Left undefined, PHP turns this on by default. You can ; turn it off here AT YOUR OWN RISK ; You CAN safely turn this off for IIS, in fact, you MUST. ; /http://php.net/cgi.force-redirect ;cgi.force_redirect = 1 ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with ; every request. PHP's default behavior is to disable this feature. ;cgi.nph = 1 ; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP ; will look for to know it is OK to continue execution. Setting this variable MAY ; cause security issues, KNOW WHAT YOU ARE DOING FIRST. ; /http://php.net/cgi.redirect-status-env ;cgi.redirect_status_env = ; ; cgi.fix_pathinfo provides real PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; /http://php.net/cgi.fix-pathinfo ;cgi.fix_pathinfo=1 ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate ; security tokens of the calling client. This allows IIS to define the ; security context that the request runs under. mod_fastcgi under Apache ; does not currently support this feature (03/17/2002) ; Set to 1 if running under IIS. Default is zero. ; /http://php.net/fastcgi.impersonate ;fastcgi.impersonate = 1; ; Disable logging through FastCGI connection. PHP's default behavior is to enable ; this feature. ;fastcgi.logging = 0 ; cgi.rfc2616_headers configuration option tells PHP what type of headers to ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that ; is supported by Apache. When this option is set to 1 PHP will send ; RFC2616 compliant header. ; Default is zero. ; /http://php.net/cgi.rfc2616-headers ;cgi.rfc2616_headers = 0 ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; ; Whether to allow HTTP file uploads. ; /http://php.net/file-uploads file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). ; /http://php.net/upload-tmp-dir upload_tmp_dir = "c:/wamp/tmp" ; Maximum allowed size for uploaded files. ; /http://php.net/upload-max-filesize upload_max_filesize = 2M Also, my php.ini file is saved in: C:\wamp\bin\apache\Apache2.2.11\bin

Read the article

PHP not talking to MySQL

- by KodeSeeker

Im trying to set up a AMP installation on my windows 8 laptop. However, Im not being able to get PHP to talk to MySQL. When I start apache server, the following error log is generated PHP Warning: PHP Startup: Unable to load dynamic library 'ext\\php_mysql.dll' - %1 is not a valid Win32 application.\r\n in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'ext\\php_mysqli.dll' - %1 is not a valid Win32 application.\r\n in Unknown on line .. Any idea why this could be happening?

Read the article

Making OpenSSL work on PHP Windows 2008 server with FastCGI

- by KacieHouser

I have been researching all day. Here is what I have done: In C:/PHP/php.ini and C:/PHP/php-cgi-fcgi.ini I have made the extension_dir = "C:/PHP/ext" I uncommented extension=php_openssl.dll I went to http://windows.php.net/download/ and got the thread safe version with the PHP 5.4 (5.4.8) version of DLL's In C:/PHP/ext I replaced the php_openssl.dll with the one I downloaded In System32 and SysWOW64 I added the following DLL's ssleay.dll libeay.dll I restarted the IIS server in the Server Manager under Web Server and stopped and started the World Wide Web Publishing Service That didn't work, so I tried same thing with the unthreaded versions. I still get: Fatal error: Call to undefined function ftp_ssl_connect() in C:\inetpub\wwwroot\REMOVED_dev\save_data.php on line 5 Here are related things from phpinfo(): System Windows NT DEV-WEB1 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586 Compiler MSVC9 (Visual C++ 2008) Architecture x86 Configure Command cscript /nologo configure.js "--enable-snapshot-build" "--enable-debug-pack" "--disable-zts" "--disable-isapi" "--disable-nsapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared" "--with-enchant=shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" "--with-pgo" Server API CGI/FastCGI Configuration File (php.ini) Path C:\Windows Loaded Configuration File C:\PHP\php-cgi-fcgi.ini Scan this dir for additional .ini files (none) Additional .ini files parsed (none) Registered PHP Streams php, file, glob, data, http, ftp, zip, compress.zlib, compress.bzip2, https, ftps, sqlsrv, phar Registered Stream Socket Transports tcp, udp, ssl, sslv3, sslv2, tls FTP support enabled Protocols dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp openssl OpenSSL support enabled OpenSSL Library Version OpenSSL 0.9.8t 18 Jan 2012 OpenSSL Header Version OpenSSL 0.9.8x 10 May 2012 What am I missing here?

Search Results

Search found 43347 results on 1734 pages for 'php security'.

Page 13/1734 | < Previous Page | 9 10 11 12 13 14 15 16 17 18 19 20 | Next Page >

- by Buttle Butkus

- by dimitris mistriotis

- by Kel

- by Keil

- by Rob Reynolds

- by Gopinath

- by Troy Kitch

- by pinaldave

- by vtortola

- by OracleTechnologyNetwork

- by Maxim V. Pavlov

- by Edwin

- by Ismail Marmoush

- by prelic

- by ptriek

- by Troy Kitch

- by binarydev

- by John

- by Felipe Cardoso Martins

- by Sam Segers

- by isurulucky

- by John Doe

- by John Doe

- by KodeSeeker

- by KacieHouser

< Previous Page | 9 10 11 12 13 14 15 16 17 18 19 20 | Next Page >