Search Results

Search found 5533 results on 222 pages for 'child protection'.

Page 17/222 | < Previous Page | 13 14 15 16 17 18 19 20 21 22 23 24  | Next Page >

  • Rails request forgery protection settings

    - by Vitaly
    Hey, please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. Basically here's the code: class ApplicationController < ActionController::Base helper :all # include all helpers, all the time protect_from_forgery helper_method :current_user_session, :current_user filter_parameter_logging :password, :password_confirmation What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)! $.post($(this).attr("href"), { _method: "PUT", data: { test: true } }); I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?

    Read the article

  • CSRF Protection in AJAX Requests using MVC2

    - by mnemosyn
    The page I'm building depends heavily on AJAX. Basically, there is just one "page" and every data transfer is handled via AJAX. Since overoptimistic caching on the browser side leads to strange problems (data not reloaded), I have to perform all requests (also reads) using POST - that forces a reload. Now I want to prevent the page against CSRF. With form submission, using Html.AntiForgeryToken() works neatly, but in AJAX-request, I guess I will have to append the token manually? Is there anything out-of-the box available? My current attempt looks like this: I'd love to reuse the existing magic. However, HtmlHelper.GetAntiForgeryTokenAndSetCookie is private and I don't want to hack around in MVC. The other option is to write an extension like public static string PlainAntiForgeryToken(this HtmlHelper helper) { // extract the actual field value from the hidden input return helper.AntiForgeryToken().DoSomeHackyStringActions(); } which is somewhat hacky and leaves the bigger problem unsolved: How to verify that token? The default verification implementation is internal and hard-coded against using form fields. I tried to write a slightly modified ValidateAntiForgeryTokenAttribute, but it uses an AntiForgeryDataSerializer which is private and I really didn't want to copy that, too. At this point it seems to be easier to come up with a homegrown solution, but that is really duplicate code. Any suggestions how to do this the smart way? Am I missing something completely obvious?

    Read the article

  • Best Practices / Patterns for Enterprise Protection/Remediation of SSNs (Social Security Numbers)

    - by Erik Neu
    I am interested in hearing about enterprise solutions for SSN handling. (I looked pretty hard for any pre-existing post on SO, including reviewing the terriffic SO automated "Related Questions" list, and did not find anything, so hopefully this is not a repeat.) First, I think it is important to enumerate the reasons systems/databases use SSNs: (note—these are reasons for de facto current state—I understand that many of them are not good reasons) Required for Interaction with External Entities. This is the most valid case—where external entities your system interfaces with require an SSN. This would typically be government, tax and financial. SSN is used to ensure system-wide uniqueness. SSN has become the default foreign key used internally within the enterprise, to perform cross-system joins. SSN is used for user authentication (e.g., log-on) The enterprise solution that seems optimum to me is to create a single SSN repository that is accessed by all applications needing to look up SSN info. This repository substitutes a globally unique, random 9-digit number (ASN) for the true SSN. I see many benefits to this approach. First of all, it is obviously highly backwards-compatible—all your systems "just" have to go through a major, synchronized, one-time data-cleansing exercise, where they replace the real SSN with the alternate ASN. Also, it is centralized, so it minimizes the scope for inspection and compliance. (Obviously, as a negative, it also creates a single point of failure.) This approach would solve issues 2 and 3, without ever requiring lookups to get the real SSN. For issue #1, authorized systems could provide an ASN, and be returned the real SSN. This would of course be done over secure connections, and the requesting systems would never persist the full SSN. Also, if the requesting system only needs the last 4 digits of the SSN, then that is all that would ever be passed. Issue #4 could be handled the same way as issue #1, though obviously the best thing would be to move away from having users supply an SSN for log-on. There are a couple of papers on this: UC Berkely: http://bit.ly/bdZPjQ Oracle Vault: bit.ly/cikbi1

    Read the article

  • Password/Key protection

    - by user221919
    hi I am implementing paymentgateways and I need to protect its key and password for security reason. also some webservices keys and password in asp.net. Please help me to do as mention. waiting for your valuable thought. Thanking You.

    Read the article

  • Domain Transfer Protection - need advice

    - by Jack
    Hey, I am about to purchase a domain name for a bit of money. I do not personally know the person who I am purchasing the domain name from, we have only chatted via email. The proposed process for the transfer is: The owner of the domain lowest the domain name security and emails me the domain password, I request the transfer After the request, I transfer the money via PayPal When the money has been cleared the current domain name owner confirms the transfer via the link that he receives in that email I wait for it to be transferred. The domain is currently registered with DirectNIC - http://www.directnic.com/ Is this the best practice? Seeing I am paying a bit of money for this domain name, I am worried that after the money has been cleared that I won't see the domain name or hear from the current domain name owner again. Is there a 'domain governing body' which I can report to if this is the case? Is the proposed transfer process the best solution? Any advice would be awesome. Thanks! Jack

    Read the article

  • image protection in rails

    - by Cezar
    Hello, I am looking for ways to protect my product images and I don't know if there's anything out there better than what I've already found: disable right click, use a transparent image in front of your picture and watermarking. Obviously none of them is perfect but I was curious if someone came up with a better solution to this problem. Also is there any rails plugin to aid with that ? Thanks

    Read the article

  • Flash Media Server Streaming: Content Protection

    - by dbemerlin
    Hi, i have to implement flash streaming for the relaunch of our video-on-demand system but either because i haven't worked with flash-related systems before or because i'm too stupid i cannot get the system to work as it has to. We need: Per file & user access control with checks on a WebService every minute if the lease time ran out mid-stream: cancelling the stream rtmp streaming dynamic bandwidth checking Video Playback with Flowplayer (existing license) I've got the streaming and bandwidth check working, i just can't seem to get the access control working. I have no idea how i know which file is played back or how i can play back a file depending on a key the user has entered. Server-Side Code (main.asc): application.onAppStart = function() { trace("Starting application"); this.payload = new Array(); for (var i=0; i < 1200; i++) { this.payload[i] = Math.random(); //16K approx } } application.onConnect = function( p_client, p_autoSenseBW ) { p_client.writeAccess = ""; trace("client at : " + p_client.uri); trace("client from : " + p_client.referrer); trace("client page: " + p_client.pageUrl); // try to get something from the query string: works var i = 0; for (i = 0; i < p_client.uri.length; ++i) { if (p_client.uri[i] == '?') { ++i; break; } } var loadVars = new LoadVars(); loadVars.decode(p_client.uri.substr(i)); trace(loadVars.toString()); trace(loadVars['foo']); // And accept the connection this.acceptConnection(p_client); trace("accepted!"); //this.rejectConnection(p_client); // A connection from Flash 8 & 9 FLV Playback component based client // requires the following code. if (p_autoSenseBW) { p_client.checkBandwidth(); } else { p_client.call("onBWDone"); } trace("Done connecting"); } application.onDisconnect = function(client) { trace("client disconnecting!"); } Client.prototype.getStreamLength = function(p_streamName) { trace("getStreamLength:" + p_streamName); return Stream.length(p_streamName); } Client.prototype.checkBandwidth = function() { application.calculateClientBw(this); } application.calculateClientBw = function(p_client) { /* lots of lines copied from an adobe sample, appear to work */ } Client-Side Code: <head> <script type="text/javascript" src="flowplayer-3.1.4.min.js"></script> </head> <body> <a class="rtmp" href="rtmp://xx.xx.xx.xx/vod_project/test_flv.flv" style="display: block; width: 520px; height: 330px" id="player"> </a> <script> $f( "player", "flowplayer-3.1.5.swf", { clip: { provider: 'rtmp', autoPlay: false, url: 'test_flv' }, plugins: { rtmp: { url: 'flowplayer.rtmp-3.1.3.swf', netConnectionUrl: 'rtmp://xx.xx.xx.xx/vod_project?foo=bar' } } } ); </script> </body> My first Idea was to get a key from the Query String, ask the web service about which file and user that key is for and play the file but i can't seem to find out how to play a file from server side. My second idea was to let flowplayer play a file, pass the key as query string and if the filename and key don't match then reject the connection but i can't seem to find out which file it's currently playing. The only remaining idea i have is: create a list of all files the user is allowed to open and set allowReadAccess or however it was called to allow those files, but that would be clumsy due to the current infrastructure. Any hints? Thanks.

    Read the article

  • Java Client .class File Protection

    - by Zac
    I am in the requirements phase of building a JEE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-) Here are some hard, non-flexible requirements on the client-side: (1) The client application will be a Swing box (2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.) (3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post (4) The client-side .class files need safeguarding against decompiling That last (4th) requirement is the basis of this post. I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic. I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up. I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for JEE developers. Any thoughts? Not interested in "code obfuscation" techniques! Thanks for any input!

    Read the article

  • Preventing HTML character entities in locale files from getting munged by Rails3 xss protection

    - by Chris S
    We're building an app, our first using Rails 3, and we're having to build I18n in from the outset. Being perfectionists, we want real typography to be used in our views: dashes, curled quotes, ellipses et al. This means in our locales/xx.yml files we have two choices: Use real UTF-8 characters inline. Should work, but hard to type, and scares me due to the amount of software which still does naughty things to unicode. Use HTML character entities (&#8217; &#8212; etc). Easier to type, and probably more compatible with misbehaving software. I'd rather take the second option, however the auto-escaping in Rails 3 makes this problematic, as the ampersands in the YAML get auto-converted into character entities themselves, resulting in 'visible' &8217;s in the browser. Obviously this can be worked around by using raw on strings, i.e.: raw t('views.signup.organisation_details') But we're not happy going down the route of globally raw-ing every time we t something as it leaves us open to making an error and producing an XSS hole. We could selectively raw strings which we know contain character entities, but this would be hard to scale, and just feels wrong - besides, a string which contains an entity in one language may not in another. Any suggestions on a clever rails-y way to fix this? Or are we doomed to crap typography, xss holes, hours of wasted effort or all thre?

    Read the article

  • d2: strange lowering of protection and possible misbehavior in static imports

    - by modchan
    Consider there is moda.d: module moda; private struct modb {}; And modb.d: module modb; private import moda; And modmain.d: module modmain; static import moda; static import modb; void main() { modb v; // should NOT compile, should it? } I don't know why, but moda.modb is visible in both modmain and modb, while, as far as I understand, it should not - both due to moda being imported as static and moda.modb being private. Or should? Have I run into dmd bug or it's planned behaviour I hadn't understood?

    Read the article

  • Subversion: Write protection for tagged directories

    - by Alexander
    Hi, i am using subversion as RCS. Always when a new version of my project is finised i create a tag of it (copy of the trunk). Does anybody know how i can protect this tagged directory from being accidentally modified? At the moment as a workaround i lock all files. But this sill means that the user with the lock can edit the files. Is there any better solution?

    Read the article

  • PHP -- automatic SQL injection protection?

    - by ashgromnies
    I took over maintenance of a PHP app recently and I'm not super familiar with PHP but some of the things I've been seeing on the site are making me nervous that it could be vulnerable to a SQL injection attack. For example, see how this code for logging into the administrative section works: $password = md5(HASH_SALT . $_POST['loginPass']); $query = "SELECT * FROM `administrators` WHERE `active`='1' AND `email`='{$_POST['loginEmail']}' AND `password`='{$password}'"; $userInfo = db_fetch_array(db_query($query)); if($userInfo['id']) { $_SESSION['adminLoggedIn'] = true; // user is logged in, other junk happens here, not important The creators of the site made a special db_query method and db_fetch_array method, shown here: function db_query($qstring,$print=0) { return @mysql(DB_NAME,$qstring); } function db_fetch_array($qhandle) { return @mysql_fetch_array($qhandle); } Now, this makes me think I should be able to do some sort of SQL injection attack with an email address like: ' OR 'x'='x' LIMIT 1; and some random password. When I use that on the command line, I get an administrative user back, but when I try it in the application, I get an invalid username/password error, like I should. Could there be some sort of global PHP configuration they have enabled to block these attacks? Where would that be configured? Here is the PHP --version information: # php --version PHP 5.2.12 (cli) (built: Feb 28 2010 15:59:21) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with the ionCube PHP Loader v3.3.14, Copyright (c) 2002-2010, by ionCube Ltd., and with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies

    Read the article

  • htaccess password protection and mod-rewrite?

    - by mathiregister
    hey guys, i wonder how i can solve the following problem. on the root directory of my server lies a file calles upload.php i want to be able to add a "/upload" (without .php) to my URL and the browser should ask for a password (and maybe username if possible). I i enter the password (and username) correctly upload.php should be opened. Is this possible with htaccess?

    Read the article

  • Quick CPU ring mode protection question

    - by b-gen-jack-o-neill
    Hi, me again :) I am very curious in messing up with HW. But my top level "messing" so far was linked or inline assembler in C program. If my understanding of CPU and ring mode is right, I cannot directly from user mode app access some low level CPU features, like disabling interrupts, or changing protected mode segments, so I must use system calls to do everything I want. But, if I am right, drivers can run in ring mode 0. I actually don´t know much about drivers, but this is what I ask for. I just want to know, is learning how to write your own drivers and than call them the way I should go, to do what I wrote? I know I could write whole new OS (at least to some point), but what I exactly want to do is acessing some low level features of HW from standart windows application. So, is driver the way to go?

    Read the article

  • How do I password protect my printer in Windows 7?

    - by Dillie-O
    I have two young kids who have gotten rather computer saavy. They love playing their games, especially when it allows them to print out awards or coloring pages. Unfortunately this means that in the time it takes to refresh my cup of coffee, they can easily drop a 10 page document into the printer queue, and my printer ink runs out rather fast. How would I setup some kind of password protection on the printing, so that I would have to do some kind of final approval before they get their printouts?

    Read the article

  • .htaccess or PHP protection code against multiple speedy requests

    - by Phil Jackson
    Hi, I am looking for ideas for how I can stop external scripts connecting with my site. I'm looking for the same kind of idea behind Google. As in if a certain amount of requests are made per a certain amount of time then block the IP address or something. I thought there maybe a htaccess solution if not, I will write a PHP one. Any ideas or links to existing methods or scripts is much appreciated. Regards Phil

    Read the article

  • direct file download protection

    - by Ahmet vardar
    Hi, I have a folder for downloads on my server, i want to prevent direct access to that folder so i am makin it pass-protected with htaccess and i will push download with a php script. But i have some questions regarding mkdir and file_exists Do mkdir and file_exists works good for pass-protected folders ? and would i get any error while uploading file to that folder ? AND is this a good way of preventing direct access ? thanks

    Read the article

  • Google App Engine + AWS S3 file protection!

    - by grep
    Hi all, I have an application running on GAE/J that streams video from AWS S3. I need a solution for protecting the video from being stolen and I found that pre-signed URLs might be it (??). How can I create pre-signed URLs from GAE/J or there's a better solution to secure the videos? thanks

    Read the article

  • Child data grid is not showing the values in the page

    - by prince23
    hi, Child data grid is not showing the values in the page for the child datagrid I am binding with an list <sdk:DataGrid MinHeight="100" x:Name="contacts" Margin="51,21,88,98" RowDetailsVisibilityChanged="contacts_RowDetailsVisibilityChanged" LoadingRowDetails="contacts_LoadingRowDetails" RowDetailsVisibilityMode="VisibleWhenSelected" MouseLeftButtonUp="contacts_MouseLeftButtonUp" MouseLeftButtonDown="contacts_MouseLeftButtonDown"> <sdk:DataGrid.Columns> <sdk:DataGridTextColumn Binding="{Binding EmployeeID}" Header="ID" /> <sdk:DataGridTextColumn Binding="{Binding EmployeeFName}" Header="Fname" /> <sdk:DataGridTextColumn Binding="{Binding EmployeeLName}" Header="LName" /> <sdk:DataGridTextColumn Binding="{Binding EmployeeMailID}" Header="MailID" /> </sdk:DataGrid.Columns> <sdk:DataGrid.RowDetailsTemplate> <DataTemplate> <sdk:DataGrid x:Name="dgrdRowDetail" Width="200" AutoGenerateColumns="False" HorizontalAlignment="Center" IsReadOnly="True"> <sdk:DataGrid.Columns> <sdk:DataGridTextColumn Header="CompanyName" Binding="{Binding Company name}"/> <sdk:DataGridTextColumn Header="CompanyName" Binding="{Binding EmpID}"/> </sdk:DataGrid.Columns> </sdk:DataGrid> </DataTemplate> </sdk:DataGrid.RowDetailsTemplate> </sdk:DataGrid> I am having 2 grids "contacts" and "dgrdRowDetail" globally i have defined an variable like this:- DataGrid dgrdRowDetail; in the contacts_RowDetailsVisibilityChanged event I have this code if (e.Row.DataContext != null) { string strEmpID = ((SilverlightApplication1.DBServiceEMP.Employee)((e.DetailsElement).DataContext)).EmployeeID; dgrdRowDetail = (DataGrid)e.DetailsElement.FindName("dgrdRowDetail"); // here i am finding the child datgrid control in contacts datagrid // then in dgrdRowDetail i will be binding this grid with new values if (strEmpID != null) { int EmpID = Convert.ToInt32(strEmpID.ToString()); DBServiceEmp.GetEmployeeIDCompleted += new EventHandler<GetEmployeeIDCompletedEventArgs>(DBServiceEmp_GetEmployeeIDCompleted); DBServiceEmp.GetEmployeeIDAsync(EmpID); } } this is my method void DBServiceEmp_GetEmployeeIDCompleted(object sender, GetEmployeeIDCompletedEventArgs e) { // List<Employee> Employes = new List<Employee>(); List<Employee> rows = new List<Employee>(); for (int i = 0; i < e.Result.Count; i++) { rows.Add(e.Result[i]); } dgrdRowDetail.ItemsSource = rows; // here i am binding the child datagrid with new data source } dgrdRowDetail.ItemsSource = rows// what ever rows i am binding to dgrdRowDetail are not shown in the page if i check the rows i am able to see the value ther. but in the child grid it is not reflecting plz plz help me out i am struck thanks in advance prince

    Read the article

  • La CNIL donne 3 mois à Google pour modifier sa politique de confidentialité, 36 autorités de protection de données préoccupées par les Google Glass

    La CNIL donne trois mois à Google pour modifier sa politique de confidentialité 36 autorités de protection de données préoccupées par les Google GlassLa CNIL, l'autorité de contrôle en matière de protection des données personnelles a sommé Google de se mettre en conformité par rapport à ses exigences dans un délai de trois mois, sous peine d'être sanctionné.L'action de la CNIL France fait suite à une enquête menée conjointement avec le G9 (groupe des CNIL européennes) sur la politique de confidentialité adoptée par Google depuis mars 2012 pour l'ensemble de ses services. Les CNIL avaient demandé à Google en octobre 2011 d'apporter des modifications à ses règles de confidentialité, avec un délai ...

    Read the article

  • iPhone sdk Cocoa Touch - Pass touches down from parent UIView to child UIScrollview

    - by Joe
    I have a UIView inside my xib in IB and inside that is a UIScrollview that is a small 80x80 square and dynamically loaded with 8 or so 80 x 80 thumbnail images. The UIScrollview is not clipping the images so that they extend out either side so you can swipe left and right to scroll a chosen image into the the centre, paging is on so they snap ti each image. I have researched and found this is the best and possibly only way to do this. The UIScrollview sits in a 'container' UIView for one reason, it is there to receive the touches/swipes and pass them down to it's child the UIScrollview as otherwise all touches would have to start in the small 80x80 UIScrollview area and I wan them to be anywhere along the row of images. I have seen some sample code somewhere for doing this but just can not implement it. Treat me as a noob, starting from beginning to end, how should the UIView and UIScrollview be set up in IB to allow any touches to be passed, and what code should I put into where? The UIView is set up as scroll_container and the child UIScrollview is char_scroll At the moment I have got it all working except for the touches being passed from the parent to the child, and at the moment the touches have to always start inside the UIScrollview (tiny 80x80 box in centre) when I want to be able to swipe left or right in the long 480X80 horizontal parent UIView and have this still scroll the child UIScrollview. Hope you can help and understand what I mean!

    Read the article

< Previous Page | 13 14 15 16 17 18 19 20 21 22 23 24  | Next Page >