Search Results

Search found 4187 results on 168 pages for 'secure erase'.

Page 150/168 | < Previous Page | 146 147 148 149 150 151 152 153 154 155 156 157 | Next Page >

How to control access to third party HTML pages

- by Wylie

Hello, We have a Learning Management System (LMS) that runs on its own server (IIS/Server 2003). Students must login with Forms authentication to gain access to the content. We want to offer access to third party flash and audio that is embedded in HTML pages hosted on the third party server (IIS/Server 2003). Currently we use a frame in a pop-up window that is populated via a simple URL to the third party HTML pages. How can the third party control access to their content, so that only students who launch the pop-up windows from our site can access their content? Since the content is mostly video and flash, we would prefer not to stream all of their content through our server to the Student. We have a programming staff, so we could maybe... - either post or get for our HTTP request to the third party server - we could use SSL - we could programmatically assign a global NT user account to all of our users and then do some kind of Active Directory login from the LMS server to the third party server - could the third party content be hosted at Amazon S3? Would this allow for secure access/download? These are just ideas. We really have no idea. Any suggestions would be greatly appreciated. TIA, Wylie

Read the article
Make password case unsensitive in shared ASP.Net membership tables web ap

- by bill

Hi all, i have two webapps.. that share ASP.Net membership tables. Everything works fine except i cannot remove case-sensitivity in one of the apps the way i am doing it in the other. in the non-working app void Login1_LoggingIn(object sender, LoginCancelEventArgs e) { string username = Login1.UserName.Trim(); if (!string.IsNullOrEmpty(username)) { MembershipUser user = Membership.GetUser(username); if (user != null) { // Only adjust the UserName if the password is correct. This is more secure // so a hacker can't find valid usernames if we adjust the case of mis-cased // usernames with incorrect passwords. string password = Login1.Password.ToUpper(); if (Membership.ValidateUser(user.UserName, password)) { Login1.UserName = user.UserName; } } } } is not working. the password is stored as all upper case. Converted at the time the membership user is created! So if the password is PASSWORD, typing PASSWORD allows me to authenticate. but typing password does not! Even though i can see the string being sent is PASSWORD (converted with toUpper()). I am at a complete loss on this.. in the other app i can type in lower or upper or mixed and i am able to authenticate. In the other app i am not using the textboxes from the login control though.. not sure if this is making the difference??

Read the article
Log in to subdomain via main domain

- by Mattias

I have a website, available through multiple domainnames. like www.domain1.com .... www.domain5.com All my customers have their own subdomain. like: customer1.domain1.com customer2.domain1.com .... customer351.domain4.com Currently i dont use SSL, each customer log in their own account via their sub domain. I want to change this, and make all customers log in on a central log in page, that would use SSL, for example. https://login.domain1.com And somehow redirect each user to the correct sub domain adress. (Sub domain that don't use SSL) How do I do this, and maintain security? One idea i had: Login - add random value somewhere in the database, Redirect to subdomain, with querystring the randomvalue. And after that the session takes care of it, Each value can be used once only.. But how secure is that? I guess someone would ask the question "why?" to me. Because SSL costs money. And unfortunately i dont have a lot of it. :D Thanks for your time!

Read the article
How would I authenticate against a local windows user on another machine in an ASP.NET application?

- by Daniel Chambers

In my ASP.NET application, I need to be able to authenticate/authorise against local Windows users/groups (ie. not Active Directory) on a different machine, as well as be able to change the passwords of said remote local Windows accounts. Yes, I know Active Directory is built for this sort of thing, but unfortunately the higher ups have decreed it needs to be done this way (so authentication against users in a database is out as well). I've tried using DirectoryEntry and WinNT like so: DirectoryEntry user = new DirectoryEntry(String.Format("WinNT://{0}/{1},User", serverName, username), username, password, AuthenticationTypes.Secure) but this results in an exception when you try to log in more than one user: Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. I've tried making sure my DirectoryEntries are used inside a using block, so they're disposed properly, but this doesn't seem to fix the issue. Plus, even if that did work it is possible that two users could hit that line of code concurrently and therefore try to create multiple connections, so it would be fragile anyway. Is there a better way to authenticate against local Windows accounts on a remote machine, authorise against their groups, and change their passwords? Thanks for your help in advance.

Read the article
File upload fails when user is authenticated. Using IIS7 Integrated mode.

- by Nikkelmann

These are the user identities my website tells me that it uses: Logged on: NT AUTHORITY\NETWORK SERVICE (Can not write any files at all) and Not logged on: WSW32\IUSR_77 (Can write files to any folder) I have a ASP.NET 4.0 website on a shared hosting IIS7 web server running in Integrated mode with 32-bit applications support enabled and MSSQL 2008. Using classic mode is not an option since I need to secure some static files and I use Routing. In my web.config file I have set the following: <system.webServer> <modules runAllManagedModulesForAllRequests="true" /> </system.webServer> My hosting company says that Impersonation is enabled by default on machine level, so this is not something I can change. I asked their support and they referred me to this article: http://www.codinghub.net/2010/08/differences-between-integrated-mode-and.html Citing this part: Different windows identity in Forms authentication When Forms Authentication is used by an application and anonymous access is allowed, the Integrated mode identity differs from the Classic mode identity in the following ways: * ServerVariables["LOGON_USER"] is filled. * Request.LogognUserIdentity uses the credentials of the [NT AUTHORITY\NETWORK SERVICE] account instead of the [NT AUTHORITY\INTERNET USER] account. This behavior occurs because authentication is performed in a single stage in Integrated mode. Conversely, in Classic mode, authentication occurs first with IIS 7.0 using anonymous access, and then with ASP.NET using Forms authentication. Thus, the result of the authentication is always a single user-- the Forms authentication user. AUTH_USER/LOGON_USER returns this same user because the Forms authentication user credentials are synchronized between IIS 7.0 and ASP.NET. A side effect is that LOGON_USER, HttpRequest.LogonUserIdentity, and impersonation no longer can access the Anonymous user credentials that IIS 7.0 would have authenticated by using Classic mode. How do I set up my website so that it can use the proper identity with the proper permissions? I've looked high and low for any answers regarding this specific problem, but found nil so far... I hope you can help!

Read the article
How do I migrate from a basic plaintext password authentication to an OAuth based system?

- by different

Hello, Found out today that Twitter will be discontinuing its basic authentication for its API; the push is now towards OAuth but I don’t have a clue as to how to use it or whether it’s the right path for me. All I want to be able to do is post a tweet linking to the most recently published post when I hit publish. Currently I’m sending the login credentials for my Twitter account as plaintext, which I realise isn’t that secure but as my site is fairly small it isn’t an issue at least for now. I’m using this basic PHP code: $status = urlencode(stripslashes(urldecode("Test tweet"))); $tweetUrl = 'http://www.twitter.com/statuses/update.xml'; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, "$tweetUrl"); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 2); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, "status=$status"); curl_setopt($curl, CURLOPT_USERPWD, "$username:$password"); $result = curl_exec($curl); $resultArray = curl_getinfo($curl); if ($resultArray['http_code'] == 200) { curl_close($curl); $this->redirect(""); } else { curl_close($curl); echo 'Could not post to Twitter. Please go back and try again.'; } How do I move from this to an OAuth system? Do I need to?

Read the article
Custom authentication module inheriting IHttpModule issue.

- by Chandan Khatwani

LoginPage.aspx:- protected void Button1_Click(object sender, EventArgs e) { Context.Items["Username"] = txtUserId.Text; Context.Items["Password"] = txtPassword.Text; // FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, Context.Items["Username"].ToString(), DateTime.Now, DateTime.Now.AddMinutes(10), true, "users", FormsAuthentication.FormsCookiePath); // Encrypt the cookie using the machine key for secure transport string hash = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, // Name of auth cookie hash); // Hashed ticket // Set the cookie's expiration time to the tickets expiration time if (ticket.IsPersistent) cookie.Expires = ticket.Expiration; Response.Cookies.Add(cookie); Response.Redirect("Default.aspx"); } Global.asax file:- void Application_AuthenticateRequest(object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; FormsAuthenticationTicket ticket = id.Ticket; // Get the stored user-data, in this case, our roles string userData = ticket.UserData; string[] roles = userData.Split(','); HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id, roles); Response.Write(HttpContext.Current.User.Identity.Name); Response.Redirect("Default.aspx"); } } } } I get the following error after signing in This webpage has a redirect loop. The webpage at http://localhost:1067/Default.aspx has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

Read the article
Why Can't Businesses Upgrade their Browsers from IE6/IE7?

- by viatropos

I have read lots these past few weeks on IE6, seeing if it was really that bad to make it look right. I have just learned HTML and CSS this past year so I've been spoiled to start with basically CSS3 and HTML5, and I can do some really cool stuff super fast. I'm no IE6 master and I don't have years of experience with IE. So I thought it'd take a little time to figure out all the hacks to IE6/7 discovered and just implement them. But it's way harder than that (or maybe just way too much work). I'd have to either completely rebuild my design using "Internet Explorer 'Principles'", or cut out a lot of the neat things I could do using more recent technologies. For a million and one other reasons, everyone who builds things online seems to think IE should die. My question is, why can't businesses upgrade their browsers? When I work with businesses, they almost always resist the first time I ask, but 5 seconds later I'll show them what it looks like on my computer and talk about how great the latest stuff is (how much more secure later browser are, all the famous IE security cases, how much smoother and faster they new browsers are, how the IE team has basically missed the boat entirely, how much smoother business processes run, etc.), and they get excited! And within a few seconds they're up and running with Chrome or something. So can businesses not upgrade for some reasons? What are the reasons a business cannot upgrade? The main reason I think of is because they have an old version of windows. But a) wasn't there a legal case against this? and b) somebody must have figured out how to install Chrome or Firefox on ancient versions of Windows by now.

Read the article
Sanitize input before executing at server in php

- by Interfaith

I want to let user input two variable, Name and Password in a form. I want to disable any XSS or script insert in the input values. I have the following code in the form method: <form name="form1" method="post" action="checkpw.php"> Your Name: <table> <tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr> </table> Password: <table> <tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr> <tr><td align="center"><br/> <input class="text" type="submit" name="submitbt" value="Login" /> </td></tr> </table> and the following checkpw.php: <?php // Clean up the input values $post = filter_input_array(INPUT_POST, array( 'name' => FILTER_SANITIZE_STRING, 'pw' => FILTER_SANITIZE_STRING, )); if (is_null($post) || in_array(null, $post)) { header("location:login.php"); return; // missing fields (or failed filter) } // pw is the password sent from the form $pw=$_POST['passwd']; $name=$_POST['name']; if($pw == 'testpass'){ header("location:index.php"); } else { header("location:wrong.php"); } ?> Is this a secure way to ensure the form is sent to the server and executed ONLY after the input values have been sanitized? Also, the $name value i want to pass it to index.php file. I insert a code in the index.php as follow: <?php echo $name ?> But it's empty. Any idea how to resolve it?

Read the article
Why does PDO print my password when the connection fails?

- by Joe Hopfgartner

I have a simple website where I establish a connection to a Mysql server using PDO. $dbh = new PDO('mysql:host=localhost;dbname=DB;port=3306', 'USER', 'SECRET',array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8")); I had some traffic on my site and the servers connection limit was reached, and the website throw this error, with my PLAIN password in it! Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[08004] [1040] Too many connections' in /home/premiumize-me/html/index.php:64 Stack trace: #0 /home/premiumize-me/html/index.php(64): PDO-__construct('mysql:host=loca...', 'USER', 'SECRET', Array) #1 {main} thrown in /home/premiumize-me/html/index.php on line 64 Ironically I switched to PDO for security reasons, this really shocked me. Because this exact error is something you can provoke very easily on most sites using simple http flooding. I now wrapped my conenction into a try/catch clause, but still. I think this is catastrophic! So I am new to PDO and my questino is: What do I have to consider to be safe! How to I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?

Read the article
getting windows username with javascript

- by jbkkd

I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy. I got a request to change the log in to some kind of windows authentication. I'll explain. Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers. in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use. I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work. My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.

Read the article
PHP Mailer Class - Securing Email Credentials

- by Alan A

I am using the php mailer class to send email via my scripts. The structure is as follows: $mail = new PHPMailer; $mail->IsSMTP(); // Set mailer to use SMTP $mail->Host = 'myserver.com'; // Specify main and backup server $mail->SMTPAuth = true; // Enable SMTP authentication $mail->Username = '[email protected]'; // SMTP username $mail->Password = 'user123'; // SMTP password $mail->SMTPSecure = 'pass123'; It seems to me to be a bit of a security hole having the mailbox credentials in plain view. So I thought I might put these in an external file outside of the web root. My question is how would I then assign the $mail object these values. I of course no how to use include and/or requires... would it simple be a case of.... $mail->IsSMTP(); // Set mailer to use SMTP $mail->Host = 'myserver.com'; // Specify main and backup server $mail->SMTPAuth = true; // Enable SMTP authentication includes '../locationOutsideWebroot/emailCredntials.php'; $mail->SMTPSecure = 'pass123'; Then emailCredentails.php: <?php $mail->Username = '[email protected]'; $mail->Password = 'user123'; ?> Would this be sufficient and secure enough? Thanks, Alan.

Read the article
Discussion - Allowing / blocking user access to pages / Client Side Validation (Client Side Only!) -

- by Ozaki

TLDR Using plain HTML / Javascript (Client Side) I want to prevent viewing of certain pages. The user will have to type a username and password and depending on that they get access to different pages. Answers can NOT include server side whatsoever It does not matter if they can break it easily. There is no sensitive information etc. Also the target audience will not have access to internet OR probably know what a cookie is... At some point the user will have to type username / password.(I can define the cookie here) Currently I thought of using cookies to set a cookie for each page to say "true" / "false" but that would get messy with so many cookies. Or setting an array within a cookie for each page? I have div field "#Content" which as it looks encompasses all of my content on the page so blocking out content will be as simple as replacing it with ("sorry you don't have access") etc. For Example: $.cookie("Access","page1, page2, page3"{ expires: 1 }); I am looking for anyway to do this does not have to be with cookies. Would be nice to get a discussion of different ways this can be done. So the question is: What do YOU think would be a good way to go about doing this with client side validation? Also on another note discussion on how to make client side more secure or ways to do so are acceptable.

Read the article
How does an ASP.NET programmer go from working on/developing existing sites, to creating one from sc

- by SLC

I've been an ASP.NET developer for some time, always working on existing ASP.NET pages, modifying functionality, adding features, tweaking things etc. but have never built a site up from scratch. I've read books on ASP.NET, and they generally talk you through the various features of ASP.NET with a mock up site, but it's always very basic and they jump straight in. The time has come however, to write a site from scratch for a client. I've never done this before. There are design considerations, but like a lot of ASP.NET sites, the basic idea is, you have a site, where users can log in, and save some information like their name and password and address. The site has some functionality, but that's the basic design of a majority of (business-related) asp.net websites I would wager. I know how to program in ASP.NET already on an existing site, but I don't know how to design my own properly that meets the criteria above. I guess the main worry is security. I don't know the best way to handle a simple log-in system that stores user information like their name and password. I understand there are a few approaches to this, but the catch with this project is that it has to be absolutely bulletproof. Maximum security. All those good practices for security, it needs to have them all. I'm not asking what they are, but I am asking where to begin. What should be the first steps after I do File New Project ? Where can I look for information about setting up a secure ASP.NET website? I'll figure out the content and page layout later, it's the framework that is the big thing. Any and all advice would be welcome. I really want to get my first from-scratch project right from the beginning. Just to confuse things, it's possible I will be using MVC, I am not sure if this has any impact.

Read the article
Will these security functions be enough? (PHP)

- by ggfan

I am trying to secure my site so I don't have sql injections and xss scripting. Here's my code. //here's the from, for brevity, i just show a field for users to put firstname <form> <label for="first_name" class="styled">First Name:</label> <input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br /> //submit button etc </form> if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //then insert into the database. ....... } mysqli_real_espace_string: I know that this func escapes certain letters like \n \r, so when the data gets inputted into the dbc, it would have '\' next to all the escaped letters? --Will this script be enough to prevent most sql injections? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: is_numeric(). --How should I use htmlspecialchars? Should I use it only when echoing and displaying user data? Or should I also use this too when inputting data to a dbc? --When should I use strip_tags() or htmlspecialchars? SOO with all these function... if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //gets rid of any <,>,& htmlspecialchars($first_name); //strips any tags with the first name strip_tags($first_name) //then insert into the database. ....... } Which funcs should I use for sql injections and which ones should I use for xss?

Read the article
Active Directory Incorrect password attempts double counting

- by Hidayath

Hi I am using the following C# code to connect to active directory and validate the login, DirectoryEntry de = new DirectoryEntry(); string username = "myuser", path = "LDAP://addev2.dev.mycompany.com/CN=myuser,DC=dev,DC=mycompany,DC=com", password = "test"; for (int i = 0; i < 4;i++ ) { try { de.AuthenticationType = AuthenticationTypes.Sealing | AuthenticationTypes.Secure | AuthenticationTypes.FastBind; de.Username = username; de.Password = password; de.Path = path; //de.RefreshCache(); Object obj = de.NativeObject; } catch (Exception ex) { Console.WriteLine(ex.Message); } this works fine when the password is correct. However when the password is incorrect this shows as 2 invalid attempts in AD. So what happens is when the AD admin allows 5 invalid attempts the user is locked out on the 3rd attempt. when i look in the AD's event log 1 see 2 entries. 1)Pre-authentication failed: 2)Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: [email protected] Source Workstation: WKSXXXX Error Code: 0xC000006A Stepping thro the code i see 2 event entries on the line de.RefreshCache() I tried using de.NativeObject to see if that would solve the problem. No Dice Anyone have any pointers?

Read the article
Need help with transferring data between MySQL db's using PHP

- by JM4

In one of the sites I manage, the client has decided to take on ACH/Bank Account administration where it was previously outsourced. As a result, the information submitted in our online form which used to simply store in a single database for processing now must sit in 'limbo' until the funds used for payment have been verified. My original plan is as follows: At the end of an enrollment, all form data is collected and stored in a single MySQL database. Our internal administrator will receive an email notification reminding him enrollments have taken place. He will process the ACH information collected and wait the 3-4 business days needed for payment to clear. Once the payment information has been returned as Good (haven't considered what I will do with the 'bad' yet), the administrator can log into a secure portal which allows him to click a button to 'process' the full information once compared and verified. the process is simplified as: Enrollment complete: data stored in DB 'A' Funds verified and link clicked: data from 'A' is copied to DB 'B' and 'A' is deleted. I have run similar processes with CSV output before and simply used //transfers old data to archive $transfer = mysql_query('INSERT INTO '.$archive.' SELECT * FROM '.$table) or die(mysql_error()); //empties existing table $query = mysql_query('TRUNCATE TABLE '.$table) or die(mysql_error()); but in those cases, ALL data returned was copied and deleted. I only want to copy and delete a single record. Any idea how to accomplish this?

Read the article
How security of the systems might be improved using database procedures?

- by Centurion

The usage of Oracle PL/SQL procedures for controlling access to data often emphasized in PL/SQL books and other sources as being more secure approach. I'v seen several systems where all business logic related with data is performed through packages, procedures and functions, so application code becomes quite "dumb" and is only responsible for visualization part. I even heard some devs call such approaches and driving architects as database nazi :) because all logic code resides in database. I do know about DB procedure performance benefits, but now I'm interested in a "better security" when using thick client model. I assume such design mostly used when Oracle (and maybe MS SQL Server) databases are used. I do agree such approach improves security but only if there are not much users and every system user has a database account, so we might control and monitor data access through standard database user security. However, how such approach could increase the security for an average web system where thick clients are used: for example one database user with DML grants on all tables, and other users are handled using "users" and"user_rights" tables? We could use DB procedures, save usernames into context use that for filtering but vulnerability resides at the root - if the main database account is compromised than nothing will help. Of course in a real system we might consider at least several main users (for example frontend_db_user, backend_db_user).

Read the article
make java plugin use the browser certificates

- by Shalom938

We have a java applet that communicates with a spring application running on tomcat and using spring's http invoker. We want to secure the applet using ssl with client authentication, we have a jsp page for login, after successful login the applet loads. The jsp page is secured with ssl, when the applet loads the http invoker inside the applet is doing a second handshake apparently not related to the browser handshake, OK, I don't mind that, but I want the java plugin to use browser certificates and client certificates but its not, I have to load the client certificate to the java plugin also using the java ControlPanel, and if my server's certificate is self signed then I have to load the server certificate also to the java ControlPanel and to the nrowser. Another thing is when the applet starts loading the java plugin pops a dialog asking for the client keystore password, I would like to avoid that. So to conclude: I would like the java plugin to use the browser's trusted certificates and client certificates, and to avoid the keystore password dialog that pops up. I have googled for it for two days and can't find any clue of how to accomplish that. I will appreciate any help. I'm using jdk 1.6.0 u23 and firefox 3.6.13.

Read the article
Python script web service timeout

- by Robert

We have had a Python script running for many months now that simply scans through a directory of files, and posts each file to our web site via a web service call. The web site is also written in Python. For no apparent reason, this morning this script started throwing the following error: urllib2.URLError: <urlopen error (10060, 'Operation timed out')> The site itself is up and running just fine. There are no indications of any errors. The developer that was working on this site is no longer with us, and we do not have a strong Python developer on staff as we are moving away from that. Before I do an all nighter and rewrite this thing in C#, I wanted to see if anyone had any experience dealing with this issue. I do know that the script is connecting to a secure site (HTTPS), so I am not sure if something has come up with that, and I honestly dont know where to look to determine that. As I said before, the site itself isn't showing any signs of error, including SSL. Any thoughts?

Read the article
PHP login, getting wrong count value from query / fetch array

- by Chris

Hello, *EDIT*Thanks to the comments below it has been figured out that the problem lies with the md5, without everything works as it should. But how do i implent the md5 then? I am having some troubles with the following code below to login. The database and register system are already working. The problem lies that it does not find any result at all in the query. IF the count is 0 it should redirect the user to a secured page. But this only works if i write count = 0, but this should be 0 , only if the user name and password is found he should be directed to the secure (startpage) of the site after login. For example root (username) root (password) already exists but i cannot seem to properly login with it. <?php session_start(); if (!empty($_POST["send"])) { $username = ($_POST["username"]); $password = (md5($_POST["password"])); $count = 0; $con = mysql_connect("localhost" , "root", ""); mysql_select_db("testdb", $con); $result = mysql_query("SELECT name, password FROM user WHERE name = '".$username."' AND password = '".$password."' ") or die("Error select statement"); $count = mysql_num_rows($result); if($count > 0) // always goes the to else, only works with >=0 but then the data is not found in the database, hence incorrect { $row = mysql_fetch_array($result); $_SESSION["username"] = $row["name"]; header("Location: StartPage.php"); } else { echo "Wrong login data, please try again"; } mysql_close($con); } ?>

Read the article
Redirecting http to https for a directory, via .htaccess, using mod_alias only

- by Belinda

I have the common problem of wanting to redirect requests for a certain restricted access directory from http to https, so that users' login credentials are sent in a secure way. However, I do not have mod_rewrite enabled on my server. I only have mod_alias. This means I have to use the RedirectMatch command. I can't use the usual solutions that use RewriteCond and RewriteRule. (A note on the politics: I am a small-fry subsite maintainer in a very large organisation, so the server admins are unlikely to be willing to change the server config for me!) The following line works, but forms an infinite loop (because the rewritten URL is still caught by the initial regular expression): RedirectMatch permanent ^/intranet(.*)$ https://example.com/intranet$1 One of my internal IT guys has suggested I avoid the infinite loop by moving the files to a new directory with a new name (eg /intranet2/). That seems pretty ugly to me. And people could still accidentally/deliberately revert to an insecure connection by visiting http://example.com/intranet2/ directly. Then I tried this, but it didn't work: RedirectMatch permanent ^http:(.*)/intranet(.*)$ https://example.com/intranet$1 I suspect it didn't work because the first argument must be a file path from the root directory, so it can't start with "http:". So: any better ideas how to do this?

Read the article
Building html structure in php or javascript?

- by Adam

I've been doing a lot of ajax calls and using the returned data to build html with javascript. However, I've noticed some people are returning the constructed html in the ajax calls since they're doing it all in php. What is the preferred method? I have a bunch of stuff already using javascript, so I guess I would prefer not changing everything to use just php. But, I'm assuming php would be more "secure."? The following is what I've been doing: $main_frag = $("<div class='order-container'/>"); $contact_frag = $("<div class='group'><div class='line-data'>Name: "+data.name+"</div><div class='line-data'>Email: "+data.email+"</div><div class='line-data'>Phone: "+data.phone+"</div></div>"); $address_frag = $("<div class='group'><div class='line-data'>Address 1: "+data.address_one+"</div><div class='line-data'>Address 2: "+address2+"</div><div class='line-data'>City: "+data.city+"</div><div class='line-data'>Province: "+data.province+"</div><div class='line-data'>Postal Code: "+data.postal+"</div></div>"); etc.. I just want to hear the opinions of the community.

Read the article
PHP | Online Notepad

- by user2947423

I recently made a Chat application in Visual Basic using PHP. I used this code: <?php $msg = $_GET['w']; $logfile= 'Chats.php'; $fp = fopen($logfile, "a"); fwrite($fp, $msg); fclose($fp); ?> I'm now trying to make a Online Notepad. What i want to do is in Visual Basic create a unique ID. That unique ID, has to be his filename. I'm not very good with PHP so what i want to know is: I want the unique ID to be the filename of the "Note". Like: $logfile= '{uniqueID.php}'; Whenever the user opens the program, it'll open his uniqueID.php file and he can edit that in my program. Long Story Short (TL;DR) Program generates uniqueID uniqueID is going to be a new file; {uniqueID}.php On next open it will check if {uniqueID}.php of him/her exists else it will make a new one. I know this isn't really secure but it's to learn something for myself.

Read the article
Hide form if javascript disabled

- by Kero

I need to check on disabling JavaScript if the user disabled JavaScript from browser or firewall or any other place he will never show the form. I have lots of search and solutions, but unfortunately didn't got the right one. - Using style with no-script tag: This one could be broke with removing style... <noscript> <style type="text/css"> .HideClass { display:none; } </style> </noscript> The past code will work just fine but there is lots of problems in no-script tag as here Beside that i don't want to redirect user with no-script tag too...Beside that i can quickly stop loading the page to broke this meta or disable Meta tag from IE: <meta http-equiv="refresh" content="0; URL=Frm_JavaScriptDisable.aspx" /> Another way to redirect user with JavaScript but this will work let's say for 99% of users and this one isn't lovely way and will slow down the website... window.location="http://www.location.com/page.aspx"; Is there is any other ideas or suggestions to secure working with JavaScript...and prevent user from entering the website or see my form except when JavaScript enabled...

Read the article

< Previous Page | 146 147 148 149 150 151 152 153 154 155 156 157 | Next Page >