Search Results

Search found 835 results on 34 pages for 'attack'.

Page 28/34 | < Previous Page | 24 25 26 27 28 29 30 31 32 33 34  | Next Page >

  • Java Client .class File Protection

    - by Zac
    I am in the requirements phase of building a JEE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-) Here are some hard, non-flexible requirements on the client-side: (1) The client application will be a Swing box (2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.) (3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post (4) The client-side .class files need safeguarding against decompiling That last (4th) requirement is the basis of this post. I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic. I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up. I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for JEE developers. Any thoughts? Not interested in "code obfuscation" techniques! Thanks for any input!

    Read the article

  • Payment gateways and XSS

    - by Rowan Parker
    Hi all, I'm working on a website which takes payment from a customer. I'm using Kohana 2.3.4 and have created a library to handle the payment gateway I use (www.eway.com.au). Basically I'm just using their sample code, copied into it's own class. Anyway, the code works fine and I can make payments, etc. The issue I have is when the payment gateway is returning the user to my site. The payment gateway uses HTTPS so that is secure, and it is sending the user back to a HTTPS page on my site. However I have the NoScript plugin installed in Firefox, and when I get sent back to the page on my website (which also handles storing the transaction data) I get an error message saying that NoScript has blocked a potential XSS attack. Now I understand why it's unsecure (POST data being sent across two different domains) but what should I be doing instead? Obviously during my testing here I temporarily disable NoScript and it all works fine, but I can't rely on that for the end users. What's the best practice here?

    Read the article

  • deserialize system.outofmemoryexception

    - by clanier9
    I've got a serializeable class called Cereal with several public fields shown here <Serializable> Public Class Cereal Public id As Integer Public cardType As Type Public attacker As String Public defender As String Public placedOn As String Public attack As Boolean Public placed As Boolean Public played As Boolean Public text As String Public Sub New() End Sub End Class My client computer is sending a new Cereal to the host by serializing it shown here 'sends data to host stream (c1) Private Sub cSendText(ByVal Data As String) Dim bf As New BinaryFormatter Dim c As New Cereal c.text = Data bf.Serialize(mobjClient.GetStream, c) End Sub The host listens to the stream for activity and when something gets put on it, it is supposed to deserialize it to a new Cereal shown here 'accepts data sent from the client, raised when data on host stream (c2) Private Sub DoReceive(ByVal ar As IAsyncResult) Dim intCount As Integer Try 'find how many byte is data SyncLock mobjClient.GetStream intCount = mobjClient.GetStream.EndRead(ar) End SyncLock 'if none, we are disconnected If intCount < 1 Then RaiseEvent Disconnected(Me) Exit Sub End If Dim bf As New BinaryFormatter Dim c As New Cereal c = CType(bf.Deserialize(mobjClient.GetStream), Cereal) If c.text.Length > 0 Then RaiseEvent LineReceived(Me, c.text) Else RaiseEvent CardReceived(Me, c) End If 'starts listening for action on stream again SyncLock mobjClient.GetStream mobjClient.GetStream.BeginRead(arData, 0, 1024, AddressOf DoReceive, Nothing) End SyncLock Catch e As Exception RaiseEvent Disconnected(Me) End Try End Sub when the following line executes, I get a System.OutOfMemoryException and I cannot figure out why this isn't working. c = CType(bf.Deserialize(mobjClient.GetStream), Cereal) The stream is a TCPClient stream. I'm new to serialization/deserialization and using visual studio 11

    Read the article

  • How does a client find the port number of a server?

    - by Jonathan
    Hello all, I am currently learning about basic networking in java. I have been playing around with the server and client relationship between two of my computers. However, I cannot figure out how distributed programs (say, a videogame), can not only find the 'host' computer, but also the port number on which the server is running in order to create a Socket between the two computers. The only way I really see to create a Socket is with an already known IP Address, and with a known port number. How do you search a LAN network for another computer (host) searching for clients? How do you determine what port the server is located on without 'pinging' all available ports for a response (which, I understand, is bad form... Something about 'server attack'...)? In such a situation as a video game, there can be any number of computers on the same network, and any number of them might be attempting to host, or otherwise running the application. Any other important information, or perhaps reference to a more detailed tutorial than the one I am using, regarding making connections on so very little information on the client side would be appreciated. Many thanks, Jonathan

    Read the article

  • Extending the .NET type system so the compiler enforces semantic meaning of primitive values in cert

    - by Drew Noakes
    I'm working with geometry a bit at the moment and am converting a lot between degrees and radians. Unfortunately, both of these are represented by double, so there's compile time warning/error if I try to pass a value in degrees where radians are expected. I believe F# has a compile-time solution for this (called units of measure.) I'd like to do something similar in C#. As another example, imagine a SQL library that accepts various query parameters as strings. It'd be good to have a way of enforcing that only clean strings were allowed to be passed in at runtime, and the only way to get a clean string was to pass through some SQL injection attack preventing logic. The obvious solution is to wrap the double/string/whatever in a new type to give it the type information the compiler needs. I'm curious if anyone has an alternative solution. If you do think wrapping is the only/best way, then please go into some of the downsides of the pattern (and any upsides I haven't mentioned too.) I'm especially concerned about the performance of abstracted primitive numeric types on my calculations at runtime.

    Read the article

  • Strange build issue using Flex Mojo. Looking for troubleshooting suggestions.

    - by WeeJavaDude
    I have ran into a strange issue and I was hoping for some suggeestion on how to attack the problem. Here is the environment. 1) We develop locally using Flex Builder. 2) We use QuickBuild with FlexMojo 3.4.2 for test builds and production 3) In both cases we don't believe optimization is enabled. What we are seeing is some strange behavior relating to the Ctrl-Enter key when doing testing on IE only in our test environment but not locally. By copying some files over locally I have narrowed the issue down to swf files differences. We do see a difference in the size of swf files in our test environment vs our local environments. Couple things that would help me in troubleshooting would be. 1) Is there a way to know what exactly is in the SWF file? What SWCs are included. 2) How does one compare compile settings between a maven mojo configuration and Flex IDE envioronment? Any thoughts or opinions would be very helpful.

    Read the article

  • how can we apply client side validation on fileupload control in ASP.NET to check filename contain s

    - by subodh
    I am working on ASP.NET3.5 platform. I have used a file upload control and a asp button to upload a file. Whenever i try to upload a file which contain special characterlike (file#&%.txt) it show crash and give the messeage Server Error in 'myapplication' Application. A potentially dangerous Request.Files value was detected from the client (filename="...\New Text &#.txt"). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Files value was detected from the client (filename="...\New Text &#.txt"). Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. how can i prevent this crash using javascript at client side?

    Read the article

  • Any danger in calling flash messages html_safe?

    - by PreciousBodilyFluids
    I want a flash message that looks something like: "That confirmation link is invalid or expired. Click here to have a new one generated." Where "click here" is of course a link to another action in the app where a new confirmation link can be generated. Two drawbacks: One, since link_to isn't defined in the controller where the flash message is being set, I have to put the link html in myself. No big deal, but kind of messy. Number two: In order for the link to actually display properly on the page I have to html_safe the flash display function in the view, so now it looks like (using Haml): - flash.each do |name, message| = content_tag :div, message.html_safe This gives me pause. Everything else I html_safe has been HTML I've written myself in helpers and whatnot, but the contents of the flash hash are stored in a cookie client-side, and could conceivably be changed. I've thought through it, and I don't see how this could result in an XSS attack, but XSS isn't something I have a great understanding of anyway. So, two questions: 1. Is there any danger in always html_safe-ing all flash contents like this? 2. The fact that this solution is so messy (breaking MVC by using HTML in the controller, always html_safe-ing all flash contents) make me think I'm going about this wrong. Is there a more elegant, Rails-ish way to do this? I'm using Rails 3.0.0.beta3.

    Read the article

  • Determining what action an NPC will take, when it is partially random but influenced by preferences?

    - by lala
    I want to make characters in a game perform actions that are partially random but also influenced by preferences. For instance, if a character feels angry they have a higher chance of yelling than telling a joke. So I'm thinking about how to determine which action the character will take. Here are the ideas that have come to me. Solution #1: Iterate over every possible action. For each action do a random roll, then add the preference value to that random number. The action with the highest value is the one the character takes. Solution #2: Assign a range of numbers to an action, with more likely actions having a wider range. So, if the random roll returns anywhere from 1-5, the character will tell a joke. If it returns 6-75, they will yell. And so on. Solution #3: Group all the actions and make a branching tree. Will they take a friendly action or a hostile action? The random roll (with preference values added) says hostile. Will they make a physical attack or verbal? The random roll says verbal. Keep going down the line until you reach the action. Solution #1 is the simplest, but hardly efficient. I think Solution #3 is a little more complicated, but isn't it more efficient? Does anyone have any more insight into this particular problem? Is #3 the best solution? Is there a better solution?

    Read the article

  • Accepting more simultaneous keyboard inputs

    - by unknownthreat
    Sometimes, a normal computer keyboard will only accept user's inputs up to a certain key simultaneously. I got a logitech keyboard that can accept up to 3-4 key presses at the same time. The computer does not accept any more input if you press more than 4 keys for this keyboard. And it also depends on certain areas of your keyboard as well. Some locations allow more key to be pressed (like the arrow keys), while some locations permit you to press only 1-2 keys. This also differs from keyboard to keyboard as well. Some older keyboards only accept up 1-2 keys. This isn't problematic with usual office work, but when it comes to gaming. For instance, imagine a platform game, where you have to jump, attack, and control direction at the same time. This implies several key presses and some keyboards cannot accept such simultaneous input. However, I've tried this on several games and the amount of possible keyboard inputs seem to be also different. Therefore, we have two issues: Keyboards have different amount of simultaneous inputs. Some games can accept more keyboard inputs than other games. At first, I thought this is hardware only problem, but why do some programs behave differently? Why some programs can accept more keyboard inputs than other programs? So how can we write our programs to accept more keyboard inputs?

    Read the article

  • Possible to write an Extension Method for ASP.NET's Html.ActionLink() method?

    - by Pretzel
    Right now, I'm trying to work around an IE6/7 bug which requires the wrapping of the </a closing tag with this IE specific comment to make some drop-down menu work: <!--[if IE 7]><!--></a><!--<![endif]--> Unfortunately, I cannot inject this directly into my View page code like this: <%= Html.ActionLink("LinkName<!--[if IE 7]><!--></a><!--<![endif]-->","Action","Controller") %> As Html.ActionLink will do the safe thing and filter out the comment to prevent a Javascript injection attack. Ok, cool. I'm fine with that. Good design decision. What I'd like to do is write an Extension Method to this, but the process is eluding me as I haven't done this before. I thought this would work, but Intellisense doesn't seem to be picking up this Extension method that I've written. public static class MyLinkExtensions { public static string ActionLinkIE(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName) { return LinkExtensions.ActionLink(htmlHelper, linkText, actionName, controllerName). Replace(@"</a>", @"<!--[if IE 7]><!--></a><!--<![endif]-->"); } } Any suggestions?

    Read the article

  • regressions with many nested categorical covariates

    - by eric
    I have a few hundred thousand measurements where the dependent variable is a probability, and would like to use logistic regression. However, the covariates I have are all categorical, and worse, are all nested. By this I mean that if a certain measurement has "city - Phoenix" then obviously it is certain to have "state - Arizona" and "country - U.S." I have four such factors - the most granular has some 20k levels, but if need be I could do without that one, I think. I also have a few non-nested categorical covariates (only four or so, with maybe three different levels each). What I am most interested in is prediction - given a new observation in some city, I would like to know the relevant probability/dependent variable. I am not interested as much in the related inferential machinery - standard deviations, etc - at least as of now. I am hoping I can afford to be sloppy. However, I would love to have that information unless it requires methods that are more computationally expensive. Does anyone have any advice on how to attack this? I have looked into mixed effects, but am not sure it is what I am looking for.

    Read the article

  • Best practices for encrypting continuous/small UDP data

    - by temp
    Hello everyone, I am having an application where I have to send several small data per second through the network using UDP. The application need to send the data in real-time (no waiting). I want to encrypt these data and insure that what I am doing is as secure as possible. Since I am using UDP, there is no way to use SSL/TLS, so I have to encrypt each packet alone since the protocol is connectionless/unreliable/unregulated. Right now, I am using a 128-bit key derived from a passphrase from the user, and AES in CBC mode (PBE using AES-CBC). I decided to use a random salt with the passphrase to derive the 128-bit key (prevent dictionary attack on the passphrase), and of course use IVs (to prevent statistical analysis for packets). However I am concerned about few things: Each packet contains small amount of data (like a couple of integer values per packet) which will make the encrypted packets vulnerable to known-plaintext attacks (which will result in making it easier to crack the key). Also, since the encryption key is derived from a passphrase, this will make the key space way less (I know the salt will help, but I have to send the salt through the network once and anyone can get it). Given these two things, anyone can sniff and store the sent data, and try to crack the key. Although this process might take some time, once the key is cracked all the stored data will be decrypted, which will be a real problem for my application. So my question is, what is the best practices for sending/encrypting continuous small data using a connectionless protocol (UDP)? Is my way the best way to do it? ...flowed? ...Overkill? ... Please note that I am not asking for a 100% secure solution, as there is no such thing. Cheers

    Read the article

  • Best practices for encrytping continuous/small UDP data

    - by temp
    Hello everyone, I am having an application where I have to send several small data per second through the network using UDP. The application need to send the data in real-time (on waiting). I want to encrypt these data and insure that what I am doing is as secure as possible. Since I am using UDP, there is no way to use SSL/TLS, so I have to encrypt each packet alone since the protocol is connectionless/unreliable/unregulated. Right now, I am using a 128-bit key derived from a passphrase from the user, and AES in CBC mode (PBE using AES-CBC). I decided to use a random salt with the passphrase to derive the 128-bit key (prevent dictionary attack on the passphrase), and of course use IVs (to prevent statistical analysis for packets). However I am concerned about few things: Each packet contains small amount of data (like a couple of integer values per packet) which will make the encrypted packets vulnerable to known-plaintext attacks (which will result in making it easier to crack the key). Also, since the encryption key is derived from a passphrase, this will make the key space way less (I know the salt will help, but I have to send the salt through the network once and anyone can get it). Given these two things, anyone can sniff and store the sent data, and try to crack the key. Although this process might take some time, once the key is cracked all the stored data will be decrypted, which will be a real problem for my application. So my question is, what is the best practices for sending/encrypting continuous small data using a connectionless protocol (UDP)? Is my way the best way to do it? ...flowed? ...Overkill? ... Please note that I am not asking for a 100% secure solution, as there is no such thing. Cheers

    Read the article

  • Dangers when deploying Flash/Flex UI test automation hooks to production?

    - by Merlyn Morgan-Graham
    I am interested in doing automated testing against a Flex based UI. I have found out that my best options for UI automation (due to being C# controllable, good licensing conditions, etc) all seem to require that I compile test hooks into my application. Because of this, I am thinking of recommending that these hooks be compiled into our build. I have found a few places on the net that recommend not deploying bits with this instrumentation enabled, and I'd like to know why. Is it a performance drain, or a security risk? If it is a security risk, can you explain how the attack surface is increased? I am not a Flash or Flex developer, though I have some experience with threat modeling. For reference, here's the tools I'm specifically considering: QTP Selenium-Flex API I am having problems finding all the warnings/suggestions I found last night, but here's an example that I can find: http://www.riatest.com/products/getting-started.html Warning! Automation enabled applications expose all properties of all GUI components. This makes them vulnerable to malicious use. Never make automation enabled application publicly available. Always restrict access to such applications and to RIATest Loader to trusted users only. Related question (how to do conditional compilation to insert/remove those hooks): Conditionally including Flex libraries (SWCs) in mxmlc/compc ant tasks

    Read the article

  • Creating a web application that can be extended by plugins/modules

    - by Adam Pope
    I'm currently involved with developing a C# CMS-like web application which will be used to standardise our development of websites. From the outset, the idea has been to keep the core as simple as possible to avoid the complexity and menu/option overload that blights many CMS systems. This simple core is now complete and working very well. We envisisaged that the system would be able to accept plugins or modules which would extend the core functionality to suit a given projects needs. These would also be re-usable across projects. For example, a basic catalogue and shopping basket might be needed. All the code for such extensions should be in seperate assemblies. They should be able to provide their own admin interfaces and front-end code from this library. The system should search for available plugins and give the admin user the option to enable/disable the feature. (This is all very much like WordPress plugins) It is crucial that we attack this problem in the correct way, so I'm trying to perform as much due dilligence as possible before jumping in. I am aware of the Plugin Pattern (http://msdn.microsoft.com/en-us/library/ms972962.aspx) and have read some articles on it's use. It seems reasonable but I'm not convinced it's necessarily the correct/best technique for this situation. It seems more suited to processing applications (image/audio manipulation, maths etc). Are there any other options for achieving this kind of UI extensibility functionality? Or is the plugin pattern the way to go? I'd also be interested if anybody has links to articles that explain using the plugin pattern for this purpose?

    Read the article

  • larger file upload problem with php

    - by chris
    I need to upload a csv file to a server. works fine for smaller files but when the file is 3-6 meg its not working. $allowedExtensions = array("csv"); foreach ($_FILES as $file) { if ($file['tmp_name'] > '') { if (!in_array(end(explode(".", strtolower($file['name']))), $allowedExtensions)) { die($file['name'].' is an invalid file type!<br/>'. '<a href="javascript:history.go(-1);">'. '&lt;&lt Go Back</a>'); } if (move_uploaded_file($file['tmp_name'], $uploadfile)) { echo "File is valid, and was successfully uploaded.\n"; } else { echo "Possible file upload attack!\n"; } echo "File has been uploaded"; } //upload form <form name="upload" enctype="multipart/form-data" action="<? echo $_SERVER['php_self'];?>?action=upload_process" method="POST"> <!-- MAX_FILE_SIZE must precede the file input field --> <input type="hidden" name="MAX_FILE_SIZE" value="31457280" /> <!-- Name of input element determines name in $_FILES array --> Send this file: <input name="userfile" type="file" /> <input type="submit" value="Send File" /> </form> I have also added this to htaccess php_value upload_max_filesize 20M php_value post_max_size 20M php_value max_execution_time 200 php_value max_input_time 200 Where am i going wrong?

    Read the article

  • How would a user stay logged in to a REST-based website?

    - by unforgiven3
    A year or so ago I asked this question: Can you help me understand this? “Common REST Mistakes: Sessions are irrelevant”. My question was essentially this: Okay, I get that HTTP authentication is done automatically on every message - but how? Is the username/password sent with every request? Doesn't that just increase attack surface area? I feel like I'm missing part of the puzzle. The answers I received made perfect sense in the context of a mobile (iPhone, Android, WP7) app - when talking to a REST service, the app would just send user credentials along with each request. That worked great for me. But now, I would like to better understand how one would secure a REST-like website, like StackOverflow itself or something like Reddit. How would things work if it was a user logged in via a web browser instead of logged in via an iPhone app? What happens when a user logs in? Are the credentials saved in the browser somehow? How would the browser know what credentials to send with subsequent REST requests? What if it's a JavaScript call to a webservice? How would the JavaScript call include user credentials? I'll be quite frank: my understanding of security when it comes to websites is pretty limited. I enjoyed working with REST services from an app perspective, but now I want to try and build a website that is based on REST principles, and I'm finding myself to be pretty lost. If there is anything in the above question that is unclear that you'd like me to clarify, please leave a comment and I'll address it.

    Read the article

  • Setting up a web development/build environment

    - by Eric
    Hello all, My current project has a development web server and live web server. Developers make changes to files on the dev server and test them (by going to the dev address) and make changes as necessary. When the file or files are ready to go, they are copied to the live server. There is no version control. As you might expect, there are some problems with this model: It's hard to keep track of what other programmers have done. It's hard to keep track of what files should be copied to the live server. There is no version control. I'm in a position to make nearly any change I like, but I want it to be the right one! I have been turning this over in my head for quite a while, and I have a solution that might be okay. But I want SO's opinion. Certainly version control needs to be added. But how should it work with the existing codebase and where should the developers be testing? How can anyone know what needs to be moved to the live server? What other details need to be addressed? How would you attack this problem? Supplementary information: The website is vital, but not mission critical. A small amount of downtime is acceptable. There are very few developers. (Right now, only 4.) History: Before I started, the project used Visual Source Safe. This was a sufficiently bad experience that they quit using it and abandoned version control. The project is an ASP.NET (C#) website. This seems like a question that may have a complicated answer. Thanks for thinking about it!

    Read the article

  • Best Practice: Protecting Personally Identifiable Data in a ASP.NET / SQL Server 2008 Environment

    - by William
    Thanks to a SQL injection vulnerability found last week, some of my recommendations are being investigated at work. We recently re-did an application which stores personally identifiable information whose disclosure could lead to identity theft. While we read some of the data on a regular basis, the restricted data we only need a couple of times a year and then only two employees need it. I've read up on SQL Server 2008's encryption function, but I'm not convinced that's the route I want to go. My problem ultimately boils down to the fact that we're either using symmetric keys or assymetric keys encrypted by a symmetric key. Thus it seems like a SQL injection attack could lead to a data leak. I realize permissions should prevent that, permissions should also prevent the leaking in the first place. It seems to me the better method would be to asymmetrically encrypt the data in the web application. Then store the private key offline and have a fat client that they can run the few times a year they need to access the restricted data so the data could be decrypted on the client. This way, if the server get compromised, we don't leak old data although depending on what they do we may leak future data. I think the big disadvantage is this would require re-writing the web application and creating a new fat application (to pull the restricted data). Due to the recent problem, I can probably get the time allocated, so now would be the proper time to make the recommendation. Do you have a better suggestion? Which method would you recommend? More importantly why?

    Read the article

  • Php string handling triks

    - by Dam
    Hi my question Need to get the 10 word before and 10 words after for the given text . i mean need to start the 10 words before the keyword and end with 10 word after the key word. Given text : "Twenty-three" The main trick : content having some html tags etc .. tags need to keep that tag with this content only . need to display the words from 10before - 10after content is bellow : <div id="hpFeatureBoxInt"><h3><a href="/go/homepage/i/int/news/world/1/-/news/1/hi/world/europe/8592190.stm">Suicide bombings hit Moscow Metro</a></h3><p>Past suicide bombings in Moscow have been blamed on Islamist rebels At least 35 people have been killed after two female suicide bombers blew themselves up on Moscow Metro trains in the morning rush hour,<h2><span class="dy">Top News Story</span></h2> officials say.<img height="150" width="201" alt="Emergency services carry a body from a Metro station in Moscow (29 March 2010)" src="http://wwwimg.bbc.co.uk/feedengine/homepage/images/_47550689_moscowap203_201x150.jpg">Twenty-three died in the first blast at 0756 (0356 GMT) as a<a href="#"> train stood </a>at the central Lubyanka station, beneath the offices of the FSB intelligence agency.About 40 minutes later, a second explosion ripped through a train at Park Kultury, leaving another 12 dead.No-one has said they carried out the worst attack in the capital since 2004. </p><p id="fbilisten"><a href="/go/homepage/i/int/news/heading/-/news/">More from BBC News</a></p></div> Thank you

    Read the article

  • When I try to pass large amounts of information using jquery $.ajax(post) method. it throws potenti

    - by dotnetrocks
    I am trying to create a preview window for my texteditor in my blog page. I need to send the content to the server to clean up the text entered before I can preview it on the preview window. I was trying to use $.ajax({ type: method, url: url, data: values, success: LoadPageCallback(targetID), error: function(msg) { $('#' + targetID).attr('innerHTML', 'An error has occurred. Please try again.'); } }); Whenever I tried to click on the preview button it returns an XMLHTTPRequest error. The error description - Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. The ValidateRequest for the page is set to false. Is there a way I can set validaterequest to false for the ajax call.Please advise Thank you for reading my post.

    Read the article

  • What prevents a user from adding controls to an ASP.NET page client side?

    - by Curtis White
    This goes back to my other question which I thought was sufficiently answers but upon reflect am not sure that it was (sorry). Backgrounder: I am generating a form dynamically. I am pulling from the database the controls. I must associate each control with a database ID which is not the user's session id. I do this currently by storing my ID in the ID for the web control with some other stuff to make it unique/clear what I am doing. On the post back, I iterate through all the controls on my web page checking for my special identifier, ie, MyGeneratedTextBox_ID_Unique. This process enables for 2 important steps, identifying the control was one I generated and also getting the ID for this input field. And, all of this works but I'm still concerned about the security of it. I do not see a security issue with showing the actual database ID's in this case, although agree it is not desirable. However, I am concerned of the following possibilities: If a user could add a nefarious control to my collection and use that for a SQL injection attack. More academic, but if a user could somehow store data for fields they do not have access too by changing the id's. I agree this is a "hack" of a way to do it. But my question is, is it a security risk and is there an 'easy' way to do it in a less hack way? I assume that only the controls that are created/instantiated on the page are added to the controls list.. thus all controls must be created server side and thus the security issue is address but just wanted to validate. Thanks again. PS: I could see adding a property for each control and encrypting the viewstate would be a little more secure.

    Read the article

  • What stackoverflow questions bring out the best in you? [closed]

    - by Mark Robinson
    This question is to help me (us) ask better questions of this community to encourage better working together. What questions here bring out the best in you? I don't mean which are the best / most appropriate questions but which bring the best out of you? That is, it brings out your best thinking and most constructive behaviour. Consider, for example, questions that make you think or that are asked in a certain way. Or consider specific a question should be. Or more abstractly, questions asked on a certain day / time, ... So I'm not necessarily asking about specific subjects but rather how a question is asked. What inspires you to drop everything and start answering? This comes from my observing questions that get highest points - I’m graduating with a Computer Science degree but I don’t feel like I know how to program. is very positive but my first ever question caused a minor storm. Ironically, I'm nervous posting this question so please don't attack if this is inappropriate.

    Read the article

  • Performance when querying a View

    - by Nate Bross
    I'm wondering if this is a bad practice or if in general this is the correct approach. Lets say that I've created a view that combines a few attributes from a few tables. My question, what do I need to do so I can query against this view as if it were a table without worrying about performance? All attributes in the original tables are indexed, my concern is that the result view will have hundreds of thousands of records, which I will want to narrow down quite a bit based on user input. What I'd like to avoid, is having multiple versions of the code that generates this view floating around with a few extra "where" conditions to facilitate the user input filtering. For example, assume my view has this header VIEW(Name, Type, DateEntered) this may have 100,000+ rows (possibly millions). I'd like to be able to make this view in SQL Server, and then in my application write querlies like this: SELECT Name, Type, DateEntered FROM MyView WHERE DateEntered BETWEEN @date1 and @date2; Basically, I am denormalizing my data for a series of reports that need to be run, and I'd like to centralize where I pull the data from, maybe I'm not looking at this problem from the right angle though, so I'm open to alternative ways to attack this.

    Read the article

< Previous Page | 24 25 26 27 28 29 30 31 32 33 34  | Next Page >