Search Results

Search found 424 results on 17 pages for 'brendan salt'.

Page 3/17 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • SHA1 Password returns as cleartext after DB query

    - by Code Sherpa
    Hi. I have a SHA1 password and PasswordSalt in my aspnet_Membership table. but, when I run a query from the server (a Sql Query), the reader reveals that the pass has returned as its cleartext equivalent. I am wondering if my web.config configuration is causing this? <membership defaultProvider="CustomMembershipProvider" userIsOnlineTimeWindow="20" hashAlgorithmType="SHA1"> <providers> <clear/> <add name="CustomMembershipProvider" type="Custom.Utility.CustomMembershipProvider" connectionStringName="MembershipDB" enablePasswordRetrieval="false" enablePasswordReset="true" requiresUniqueEmail="false" requiresQuestionAndAnswer="false" passwordStrengthRegularExpression="" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" thanks in advance...

    Read the article

  • Encrypt hashed passwords?

    - by Industrial
    Hi everyone, Is it common sense to encrypt hashed&salted passwords that are stored in a database with a strong encryption (AES 192 or so) or are we just aiming for the stars? Of course, the encryption key will not be in the database itself, but will be kept at a safe place. Thanks a lot!

    Read the article

  • Help me clean up this crazy lambda with the out keyword

    - by Sarah Vessels
    My code looks ugly, and I know there's got to be a better way of doing what I'm doing: private delegate string doStuff( PasswordEncrypter encrypter, RSAPublicKey publicKey, string privateKey, out string salt ); private bool tryEncryptPassword( doStuff encryptPassword, out string errorMessage ) { ...get some variables... string encryptedPassword = encryptPassword(encrypter, publicKey, privateKey, out salt); ... } This stuff so far doesn't bother me. It's how I'm calling tryEncryptPassword that looks so ugly, and has duplication because I call it from two methods: public bool method1(out string errorMessage) { string rawPassword = "foo"; return tryEncryptPassword( (PasswordEncrypter encrypter, RSAPublicKey publicKey, string privateKey, out string salt) => encrypter.EncryptPasswordAndDoStuff( // Overload 1 rawPassword, publicKey, privateKey, out salt ), out errorMessage ); } public bool method2(SecureString unencryptedPassword, out string errorMessage) { return tryEncryptPassword( (PasswordEncrypter encrypter, RSAPublicKey publicKey, string privateKey, out string salt) => encrypter.EncryptPasswordAndDoStuff( // Overload 2 unencryptedPassword, publicKey, privateKey, out salt ), out errorMessage ); } Two parts to the ugliness: I have to explicitly list all the parameter types in the lambda expression because of the single out parameter. The two overloads of EncryptPasswordAndDoStuff take all the same parameters except for the first parameter, which can either be a string or a SecureString. So method1 and method2 are pretty much identical, they just call different overloads of EncryptPasswordAndDoStuff. Any suggestions? Edit: if I apply Jeff's suggestions, I do the following call in method1: return tryEncryptPassword( (encrypter, publicKey, privateKey) => { var result = new EncryptionResult(); string salt; result.EncryptedValue = encrypter.EncryptPasswordAndDoStuff( rawPassword, publicKey, privateKey, out salt ); result.Salt = salt; return result; }, out errorMessage ); Much the same call is made in method2, just with a different first value to EncryptPasswordAndDoStuff. This is an improvement, but it still seems like a lot of duplicated code.

    Read the article

  • hashing password giving different results

    - by geoff
    I am taking over a system that a previous developer wrote. The system has an administrator approve a user account and when they do that the system uses the following method to hash a password and save it to the database. It sends the unhashed password to the user. When the user logs in the system uses the exact same method to hash what the user enters and compares it to the database value. We've run into a couple of times when the database entry doesn't match the user's entry whey they should. So it appears that the method isn't always hashing the value the same. Does anyone know if this method of hashing isn't reliable and how to make it reliable? Thanks. private string HashPassword(string password) { string hashedPassword = string.Empty; // Convert plain text into a byte array. byte[] plainTextBytes = Encoding.UTF8.GetBytes(password); // Allocate array, which will hold plain text and salt. byte[] plainTextWithSaltBytes = new byte[plainTextBytes.Length + SALT.Length]; // Copy plain text bytes into resulting array. for(int i = 0; i < plainTextBytes.Length; i++) plainTextWithSaltBytes[i] = plainTextBytes[i]; // Append salt bytes to the resulting array. for(int i = 0; i < SALT.Length; i++) plainTextWithSaltBytes[plainTextBytes.Length + i] = SALT[i]; // Because we support multiple hashing algorithms, we must define // hash object as a common (abstract) base class. We will specify the // actual hashing algorithm class later during object creation. HashAlgorithm hash = new SHA256Managed(); // Compute hash value of our plain text with appended salt. byte[] hashBytes = hash.ComputeHash(plainTextWithSaltBytes); // Create array which will hold hash and original salt bytes. byte[] hashWithSaltBytes = new byte[hashBytes.Length + SALT.Length]; // Copy hash bytes into resulting array. for(int i = 0; i < hashBytes.Length; i++) hashWithSaltBytes[i] = hashBytes[i]; // Append salt bytes to the result. for(int i = 0; i < SALT.Length; i++) hashWithSaltBytes[hashBytes.Length + i] = SALT[i]; // Convert result into a base64-encoded string. hashedPassword = Convert.ToBase64String(hashWithSaltBytes); return hashedPassword; }

    Read the article

  • Same Salt, Different Encrypted Password is not working? Using Linq to update password.

    - by Xaisoft
    Hello, I am running into a wall regarding changing the password and was wondering if anyone had any ideas. Here are the database values prior to changing the password: Clear Text password = abc1980 Encrypted Password = Yn1N5l+4AUqkOM3WYO7ww/sCN+o= Salt = 82qVIhUIoblBRIRvFSZ1fw== After I change my password to abc1973, salt remains the same, but the Encrypted Password changes which is supposed to happen: Encrypted Password = rHtjLq3qxAl/7T1GfkxrsHzPsNk= However, when I try to login with abc1973 as the password, it does not login. If I try abc1980, it logs me in. It is updating the database, is it caching the values somewhere? Any ideas?

    Read the article

  • Using AES encryption in .NET - CryptographicException saying the padding is invalid and cannot be removed

    - by Jake Petroules
    I wrote some AES encryption code in C# and I am having trouble getting it to encrypt and decrypt properly. If I enter "test" as the passphrase and "This data must be kept secret from everyone!" I receive the following exception: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing) at System.IO.Stream.Close() at System.IO.Stream.Dispose() ... And if I enter something less than 16 characters I get no output. I believe I need some special handling in the encryption since AES is a block cipher, but I'm not sure exactly what that is, and I wasn't able to find any examples on the web showing how. Here is my code: using System; using System.IO; using System.Security.Cryptography; using System.Text; public static class DatabaseCrypto { public static EncryptedData Encrypt(string password, string data) { return DatabaseCrypto.Transform(true, password, data, null, null) as EncryptedData; } public static string Decrypt(string password, EncryptedData data) { return DatabaseCrypto.Transform(false, password, data.DataString, data.SaltString, data.MACString) as string; } private static object Transform(bool encrypt, string password, string data, string saltString, string macString) { using (AesManaged aes = new AesManaged()) { aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; int key_len = aes.KeySize / 8; int iv_len = aes.BlockSize / 8; const int salt_size = 8; const int iterations = 8192; byte[] salt = encrypt ? new Rfc2898DeriveBytes(string.Empty, salt_size).Salt : Convert.FromBase64String(saltString); byte[] bc_key = new Rfc2898DeriveBytes("BLK" + password, salt, iterations).GetBytes(key_len); byte[] iv = new Rfc2898DeriveBytes("IV" + password, salt, iterations).GetBytes(iv_len); byte[] mac_key = new Rfc2898DeriveBytes("MAC" + password, salt, iterations).GetBytes(16); aes.Key = bc_key; aes.IV = iv; byte[] rawData = encrypt ? Encoding.UTF8.GetBytes(data) : Convert.FromBase64String(data); using (ICryptoTransform transform = encrypt ? aes.CreateEncryptor() : aes.CreateDecryptor()) using (MemoryStream memoryStream = encrypt ? new MemoryStream() : new MemoryStream(rawData)) using (CryptoStream cryptoStream = new CryptoStream(memoryStream, transform, encrypt ? CryptoStreamMode.Write : CryptoStreamMode.Read)) { if (encrypt) { cryptoStream.Write(rawData, 0, rawData.Length); return new EncryptedData(salt, mac_key, memoryStream.ToArray()); } else { byte[] originalData = new byte[rawData.Length]; int count = cryptoStream.Read(originalData, 0, originalData.Length); return Encoding.UTF8.GetString(originalData, 0, count); } } } } } public class EncryptedData { public EncryptedData() { } public EncryptedData(byte[] salt, byte[] mac, byte[] data) { this.Salt = salt; this.MAC = mac; this.Data = data; } public EncryptedData(string salt, string mac, string data) { this.SaltString = salt; this.MACString = mac; this.DataString = data; } public byte[] Salt { get; set; } public string SaltString { get { return Convert.ToBase64String(this.Salt); } set { this.Salt = Convert.FromBase64String(value); } } public byte[] MAC { get; set; } public string MACString { get { return Convert.ToBase64String(this.MAC); } set { this.MAC = Convert.FromBase64String(value); } } public byte[] Data { get; set; } public string DataString { get { return Convert.ToBase64String(this.Data); } set { this.Data = Convert.FromBase64String(value); } } } static void ReadTest() { Console.WriteLine("Enter password: "); string password = Console.ReadLine(); using (StreamReader reader = new StreamReader("aes.cs.txt")) { EncryptedData enc = new EncryptedData(); enc.SaltString = reader.ReadLine(); enc.MACString = reader.ReadLine(); enc.DataString = reader.ReadLine(); Console.WriteLine("The decrypted data was: " + DatabaseCrypto.Decrypt(password, enc)); } } static void WriteTest() { Console.WriteLine("Enter data: "); string data = Console.ReadLine(); Console.WriteLine("Enter password: "); string password = Console.ReadLine(); EncryptedData enc = DatabaseCrypto.Encrypt(password, data); using (StreamWriter stream = new StreamWriter("aes.cs.txt")) { stream.WriteLine(enc.SaltString); stream.WriteLine(enc.MACString); stream.WriteLine(enc.DataString); Console.WriteLine("The encrypted data was: " + enc.DataString); } }

    Read the article

  • How to ReHash a password stored into my Database ? (PHP)

    - by Vincent Roye
    Hi! I have some passwords encrypted in my database and I would like to find a way to display them. Here is how they are saved into my mysql database: function generateHash($plainText, $salt = null){ if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, 25); } else { $salt = substr($salt, 0, 25); } return $salt . sha1($salt . $plainText); } $secure_pass = generateHash($this->clean_password); Then $secure_pass is saved into my database. Anyone would have an idea ?? Thank you very much ;)

    Read the article

  • What is the Best Internet Provider in the Salt Lake Valley for hosting your future online business f

    - by Justin
    This is for people familiar with the ISP scene in Salt Lake. Also, UTOPIA is not available in my neighborhood yet. I'm looking for comparisons between Comcast, Qwest, and especially other providers I'm not aware of. While I will have online backup (of course!), I want to host some things from my own home at the start of my business. Once money starts flowing in, I will move to a hosted provider, but in the meantime I would like a provider which provides fast (1+ mb/s at least) upload speeds (fast download a given), a static IP, and especially a reasonable price.

    Read the article

  • The Science Behind Salty Airline Food

    - by Jason Fitzpatrick
    In this collection, Artist Signe Emma combines a scientific overview of the role salt plays in airline food with electron microscope scans of salt crystals arranged to look like the views from an airplane–a rather clever and visually stunning way to deliver the message. Attached to the collection is this explaination of why airlines load their snacks and meals with salt: White noise consists of a random collection of sounds at different frequencies and scientists have demonstrated that it is capable of diminishing the taste of salt. At low-pressure conditions, higher taste and odour thresholds of flavourings are generally observed. At 30.000 feet the cabin humidity drops by 15%, and the lowered air pressure forces bodily fluids upwards. With less humidity, people have less moisture in their throat, which slows the transport of odours to the brains smell and taste receptors. That means that if a meal should taste the same up in the air, as on ground it needs 30% of extra salt. To combat the double assault on our sense of taste, the airlines boost the salt content to compensate. For more neat microscope scans as high-altitude view photographs, hit up the link below. How to Play Classic Arcade Games On Your PC How to Use an Xbox 360 Controller On Your Windows PC Download the Official How-To Geek Trivia App for Windows 8

    Read the article

  • Do I need to Salt and Hash a randomly generated token?

    - by wag2639
    I'm using Adam Griffiths's Authentication Library for CodeIgniter and I'm tweaking the usermodel. I came across a generate function that he uses to generate tokens. His preferred approach is to reference a value from random.org but I considered that superfluous. I'm using his fall back approach of randomly generating a 20 character long string: $length = 20; $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $token = ''; for ($i = 0; $i < $length; $i++) { $token .= $characters[mt_rand(0, strlen($characters)-1)]; } He then hashes this token using a salt (I'm combing code from different functions) sha1($this->CI->config->item('encryption_key').$str); I was wondering if theres any reason to to run the token through the salted hash? I've read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary? Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)

    Read the article

  • How to use Bouncy Castle lightweight API with AES and PBE

    - by Adrian
    I have a block of ciphertext that was created using the JCE algorithim "PBEWithSHA256And256BitAES-CBC-BC". The provider is BouncyCastle. What I'd like to do it decrypt this ciphertext using the BouncyCastle lightweight API. I don't want to use JCE because that requires installing the Unlimited Strength Jurisdiction Policy Files. Documentation seems to be thin on the ground when it comes to using BC with PBE and AES. Here's what I have so far. The decryption code runs without exception but returns rubbish. The encryption code, String password = "qwerty"; String plainText = "hello world"; byte[] salt = generateSalt(); byte[] cipherText = encrypt(plainText, password.toCharArray(), salt); private static byte[] generateSalt() throws NoSuchAlgorithmException { byte salt[] = new byte[8]; SecureRandom saltGen = SecureRandom.getInstance("SHA1PRNG"); saltGen.nextBytes(salt); return salt; } private static byte[] encrypt(String plainText, char[] password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException { Security.addProvider(new BouncyCastleProvider()); PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, 20); PBEKeySpec pbeKeySpec = new PBEKeySpec(password); SecretKeyFactory keyFac = SecretKeyFactory.getInstance("PBEWithSHA256And256BitAES-CBC-BC"); SecretKey pbeKey = keyFac.generateSecret(pbeKeySpec); Cipher encryptionCipher = Cipher.getInstance("PBEWithSHA256And256BitAES-CBC-BC"); encryptionCipher.init(Cipher.ENCRYPT_MODE, pbeKey, pbeParamSpec); return encryptionCipher.doFinal(plainText.getBytes()); } The decryption code, byte[] decryptedText = decrypt(cipherText, password.getBytes(), salt); private static byte[] decrypt(byte[] cipherText, byte[] password, byte[] salt) throws DataLengthException, IllegalStateException, InvalidCipherTextException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException { BlockCipher engine = new AESEngine(); CBCBlockCipher cipher = new CBCBlockCipher(engine); PKCS5S1ParametersGenerator keyGenerator = new PKCS5S1ParametersGenerator(new SHA256Digest()); keyGenerator.init(password, salt, 20); CipherParameters keyParams = keyGenerator.generateDerivedParameters(256); cipher.init(false, keyParams); byte[] decryptedBytes = new byte[cipherText.length]; int numBytesCopied = cipher.processBlock(cipherText, 0, decryptedBytes, 0); return decryptedBytes; }

    Read the article

  • Is it safe to change the 'Security.salt' line to a more lengthy string {64 hex key}

    - by Gaurav Sharma
    Hi everyone, I have changed the Configure::write('Security.salt', '############'); value in the file config/core.php file to a '256-bit hex key'. Is it safe or a good practice to change these lines for every different installation of cakephp application or shall I revert back to the original ? I also changed the Configure::write('Security.cipherSeed','7927237598237592759727'); to a different one of more length. Please throw some light on this. Thanks

    Read the article

  • PostgreSQL - select only when specific multiple apperance in column

    - by Horse SMith
    I'm using PostgreSQL. I have a table with 3 fields person, recipe and ingredient person = creator of the recipe recipe = the recipe ingredient = one of the ingredients in the recipe I want to create a query which results in every person who whenever has added carrot to a recipe, the person must also have added salt to the same recipe. More than one person can have created the recipe, in which case the person who added the ingredient will be credited for adding the ingredient. Sometimes the ingredient is used more than once, even by the same person. If this the table: person1, rec1, carrot person1, rec1, salt person1, rec1, salt person1, rec2, salt person1, rec2, pepper person2, rec1, carrot person2, rec1, salt person2, rec2, carrot person2, rec2, pepper person3, rec1, sugar person3, rec1, carrot Then I want this result: person1 Because this person is the only one who whenever has added carrot also have added salt.

    Read the article

  • Has anyone used tools like (Chef, Salt, Puppet, CfEngine) to configure a 2008 Win Server with Sql?

    - by Development 4.0
    I have been looking into tools to automate the creation of servers. For two different reasons: Production Development machines I love the idea of the immutable server. I have seen the tools demoed and used successfully on *nix boxes running Rails or Lamp etc. Has anyone found a good way to do this in the Microsoft stack? I would like to get in on the fun and create scripts that will install Windows, patch it according to specification, deploy Sql Server create scripts to build out a database and just for fun deploy SharePoint and configure it, and then deploy a SharePoint solution to it. I can get part of the way, install Windows manually, install Sql Server manually, use Powershell to do all the configuration and setup. Install SharePoint and configure part of it, then powershell for the rest of the configuration and deploying a solution. I would love to have the ability to run one script though, or at least one unified process. I can, and have mostly used VM template images and then instantiated them, but the creation of the template is usually a manual step.

    Read the article

  • How does one remove an encryption type from a kerberos principal?

    - by 84104
    I would like to remove all of the des keys from the principal below, but have no idea how to do so without someone inputting the password. kadmin: getprinc user Principal: [email protected] Expiration date: [never] Last password change: Thu May 26 08:52:51 PDT 2013 Password expiration date: [none] Maximum ticket life: 0 days 12:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Jul 16 15:17:18 PDT 2013 (administrator/[email protected]) Last successful authentication: Wed Jul 24 14:40:53 PDT 2013 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 3, aes256-cts-hmac-sha1-96, no salt Key: vno 3, arcfour-hmac, no salt Key: vno 3, des3-cbc-sha1, no salt Key: vno 3, des-cbc-crc, no salt Key: vno 3, des-cbc-md5, no salt Key: vno 3, des-cbc-md5, Version 5 - No Realm Key: vno 3, des-cbc-md5, Version 5 - Realm Only Key: vno 3, des-cbc-md5, AFS version 3 MKey: vno 2 Attributes: REQUIRES_PRE_AUTH Policy: [none] Also, the the kdc is using an OpenLDAP backend.

    Read the article

  • Salting a public hash

    - by Sathvik
    Does it make any sense at all to salt a hash which might be available publicly? It doesn't really make sense to me, but does anyone actually do that? UPDATE - Some more info: An acquaintance of mine has a common salted-hash function which he uses throughout his code. So I was wondering if it made any sense at-all, to do so. Here's the function he used: hashlib.sha256(string+SALT).hexdigest() Update2: Sorry if it wasn't clear. By available publicly I meant, that it is rendered in the HTML of the project (for linking, etc) & can thus be easily read by a third party. The project is a python based web-app which involves user-created pages which are tracked using their hashes like myproject.com/hash so thus revealing the hash publicly. So my question is, whether in any circumstances would any sane programmer salt such a hash? Question: Using hashlib.sha256(string+SALT).hexdigest() vs hashlib.sha256(string).hexdigest() , when the hash isn't a secret.

    Read the article

  • Agile web development with rails

    - by Steve
    Hi.. This code is from the agile web development with rails book.. I don't understand this part of the code... User is a model which has name,hashed_password,salt as its fields. But in the code they are mentioning about password and password confirmation, while there are no such fields in the model. Model has only hashed_password. I am sure mistake is with me. Please clear this for me :) User Model has name,hashed_password,salt. All the fields are strings require 'digest/sha1' class User < ActiveRecord::Base validates_presence_of :name validates_uniqueness_of :name attr_accessor :password_confirmation validates_confirmation_of :password validate :password_non_blank def self.authenticate(name, password) user = self.find_by_name(name) if user expected_password = encrypted_password(password, user.salt) if user.hashed_password != expected_password user = nil end end user end def password @password end def password=(pwd) @password = pwd return if pwd.blank? create_new_salt self.hashed_password = User.encrypted_password(self.password, self.salt) end private def password_non_blank errors.add(:password,"Missing password")if hashed_password.blank? end def create_new_salt self.salt = self.object_id.to_s + rand.to_s end def self.encrypted_password(password, salt) string_to_hash = password + "wibble" + salt Digest::SHA1.hexdigest(string_to_hash) end end

    Read the article

  • Trouble launch byobu with custom windows.NAME file

    - by Brendan Piater
    Apologies if the solution is obvious but I'm stumped! I want to launch byobu from within my Gnome 3 desktop environment on 12.04 but it's not working for me as yet. Here's what I have: created a windows list file ~/.byobu/windows.mrb then tried to launch byobu from within the gnome terminal with: $ BYOBU_WINDOWS=mrb byobu But it gives me the default windows list, NOT my windows list. I followed these instructions from the wiki: http://goo.gl/omgl8 Here is a sanitised version of my windows.mrb file: screen -t local bash screen -t name1 ssh xxx@xxx screen -t name2 ssh root@xxx screen -t name3 bash Appreciate the time and effort. Cheers Brendan

    Read the article

  • How to optimize this mysql query - explain output included

    - by Sandeepan Nath
    This is the query (a search query basically, based on tags):- select SUM(DISTINCT(ttagrels.id_tag in (2105,2120,2151,2026,2046) )) as key_1_total_matches, td.*, u.* from Tutors_Tag_Relations AS ttagrels Join Tutor_Details AS td ON td.id_tutor = ttagrels.id_tutor JOIN Users as u on u.id_user = td.id_user where (ttagrels.id_tag in (2105,2120,2151,2026,2046)) group by td.id_tutor HAVING key_1_total_matches = 1 And following is the database dump needed to execute this query:- CREATE TABLE IF NOT EXISTS `Users` ( `id_user` int(10) unsigned NOT NULL auto_increment, `id_group` int(11) NOT NULL default '0', PRIMARY KEY (`id_user`), KEY `Users_FKIndex1` (`id_group`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=730 ; INSERT INTO `Users` (`id_user`, `id_group`) VALUES (303, 1); CREATE TABLE IF NOT EXISTS `Tutor_Details` ( `id_tutor` int(10) unsigned NOT NULL auto_increment, `id_user` int(10) NOT NULL default '0', PRIMARY KEY (`id_tutor`), KEY `Users_FKIndex1` (`id_user`), KEY `id_user` (`id_user`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=58 ; INSERT INTO `Tutor_Details` (`id_tutor`, `id_user`) VALUES (26, 303); CREATE TABLE IF NOT EXISTS `Tags` ( `id_tag` int(10) unsigned NOT NULL auto_increment, `tag` varchar(255) default NULL, PRIMARY KEY (`id_tag`), UNIQUE KEY `tag` (`tag`), KEY `id_tag` (`id_tag`), KEY `tag_2` (`tag`), KEY `tag_3` (`tag`), KEY `tag_4` (`tag`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2957 ; INSERT INTO `Tags` (`id_tag`, `tag`) VALUES (2026, 'Brendan.\nIn'), (2046, 'Brendan.'), (2105, 'Brendan'), (2120, 'Brendan''s'), (2151, 'Brendan)'); CREATE TABLE IF NOT EXISTS `Tutors_Tag_Relations` ( `id_tag` int(10) unsigned NOT NULL default '0', `id_tutor` int(10) unsigned default NULL, `tutor_field` varchar(255) default NULL, `cdate` timestamp NOT NULL default CURRENT_TIMESTAMP, `udate` timestamp NULL default NULL, KEY `Tutors_Tag_Relations` (`id_tag`), KEY `id_tutor` (`id_tutor`), KEY `id_tag` (`id_tag`), KEY `id_tutor_2` (`id_tutor`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; INSERT INTO `Tutors_Tag_Relations` (`id_tag`, `id_tutor`, `tutor_field`, `cdate`, `udate`) VALUES (2105, 26, 'firstname', '2010-06-17 17:08:45', NULL); ALTER TABLE `Tutors_Tag_Relations` ADD CONSTRAINT `Tutors_Tag_Relations_ibfk_2` FOREIGN KEY (`id_tutor`) REFERENCES `Tutor_Details` (`id_tutor`) ON DELETE NO ACTION ON UPDATE NO ACTION, ADD CONSTRAINT `Tutors_Tag_Relations_ibfk_1` FOREIGN KEY (`id_tag`) REFERENCES `Tags` (`id_tag`) ON DELETE NO ACTION ON UPDATE NO ACTION; What the query does? This query actually searches tutors which contain "Brendan"(as their name or biography or something). The id_tags 2105,2120,2151,2026,2046 are nothing but the tags which are LIKE "%Brendan%". My question is :- 1.In the explain of this query, the reference column shows NULL for ttagrels, but there are possible keys (Tutors_Tag_Relations,id_tutor,id_tag,id_tutor_2). So, why is no key being taken. How to make the query take references. Is it possible at all? 2. The other two tables td and u are using references. Any indexing needed in those? I think not. Check the explain query output here http://www.test.examvillage.com/explain.png

    Read the article

  • Anti-Forgery Request in ASP.NET MVC and AJAX

    - by Dixin
    Background To secure websites from cross-site request forgery (CSRF, or XSRF) attack, ASP.NET MVC provides an excellent mechanism: The server prints tokens to cookie and inside the form; When the form is submitted to server, token in cookie and token inside the form are sent by the HTTP request; Server validates the tokens. To print tokens to browser, just invoke HtmlHelper.AntiForgeryToken():<% using (Html.BeginForm()) { %> <%: this.Html.AntiForgeryToken(Constants.AntiForgeryTokenSalt)%> <%-- Other fields. --%> <input type="submit" value="Submit" /> <% } %> which writes to token to the form:<form action="..." method="post"> <input name="__RequestVerificationToken" type="hidden" value="J56khgCvbE3bVcsCSZkNVuH9Cclm9SSIT/ywruFsXEgmV8CL2eW5C/gGsQUf/YuP" /> <!-- Other fields. --> <input type="submit" value="Submit" /> </form> and the cookie: __RequestVerificationToken_Lw__=J56khgCvbE3bVcsCSZkNVuH9Cclm9SSIT/ywruFsXEgmV8CL2eW5C/gGsQUf/YuP When the above form is submitted, they are both sent to server. [ValidateAntiForgeryToken] attribute is used to specify the controllers or actions to validate them:[HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public ActionResult Action(/* ... */) { // ... } This is very productive for form scenarios. But recently, when resolving security vulnerabilities for Web products, I encountered 2 problems: It is expected to add [ValidateAntiForgeryToken] to each controller, but actually I have to add it for each POST actions, which is a little crazy; After anti-forgery validation is turned on for server side, AJAX POST requests will consistently fail. Specify validation on controller (not on each action) Problem For the first problem, usually a controller contains actions for both HTTP GET and HTTP POST requests, and usually validations are expected for HTTP POST requests. So, if the [ValidateAntiForgeryToken] is declared on the controller, the HTTP GET requests become always invalid:[ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public class SomeController : Controller { [HttpGet] public ActionResult Index() // Index page cannot work at all. { // ... } [HttpPost] public ActionResult PostAction1(/* ... */) { // ... } [HttpPost] public ActionResult PostAction2(/* ... */) { // ... } // ... } If user sends a HTTP GET request from a link: http://Site/Some/Index, validation definitely fails, because no token is provided. So the result is, [ValidateAntiForgeryToken] attribute must be distributed to each HTTP POST action in the application:public class SomeController : Controller { [HttpGet] public ActionResult Index() // Works. { // ... } [HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public ActionResult PostAction1(/* ... */) { // ... } [HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public ActionResult PostAction2(/* ... */) { // ... } // ... } Solution To avoid a large number of [ValidateAntiForgeryToken] attributes (one attribute for one HTTP POST action), I created a wrapper class of ValidateAntiForgeryTokenAttribute, where HTTP verbs can be specified:[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)] public class ValidateAntiForgeryTokenWrapperAttribute : FilterAttribute, IAuthorizationFilter { private readonly ValidateAntiForgeryTokenAttribute _validator; private readonly AcceptVerbsAttribute _verbs; public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs) : this(verbs, null) { } public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs, string salt) { this._verbs = new AcceptVerbsAttribute(verbs); this._validator = new ValidateAntiForgeryTokenAttribute() { Salt = salt }; } public void OnAuthorization(AuthorizationContext filterContext) { string httpMethodOverride = filterContext.HttpContext.Request.GetHttpMethodOverride(); if (this._verbs.Verbs.Contains(httpMethodOverride, StringComparer.OrdinalIgnoreCase)) { this._validator.OnAuthorization(filterContext); } } } When this attribute is declared on controller, only HTTP requests with the specified verbs are validated:[ValidateAntiForgeryTokenWrapper(HttpVerbs.Post, Constants.AntiForgeryTokenSalt)] public class SomeController : Controller { // Actions for HTTP GET requests are not affected. // Only HTTP POST requests are validated. } Now one single attribute on controller turns on validation for all HTTP POST actions. Submit token via AJAX Problem For AJAX scenarios, when request is sent by JavaScript instead of form:$.post(url, { productName: "Tofu", categoryId: 1 // Token is not posted. }, callback); This kind of AJAX POST requests will always be invalid, because server side code cannot see the token in the posted data. Solution The token must be printed to browser then submitted back to server. So first of all, HtmlHelper.AntiForgeryToken() must be called in the page where the AJAX POST will be sent. Then jQuery must find the printed token in the page, and post it:$.post(url, { productName: "Tofu", categoryId: 1, __RequestVerificationToken: getToken() // Token is posted. }, callback); To be reusable, this can be encapsulated in a tiny jQuery plugin:(function ($) { $.getAntiForgeryToken = function () { // HtmlHelper.AntiForgeryToken() must be invoked to print the token. return $("input[type='hidden'][name='__RequestVerificationToken']").val(); }; var addToken = function (data) { // Converts data if not already a string. if (data && typeof data !== "string") { data = $.param(data); } data = data ? data + "&" : ""; return data + "__RequestVerificationToken=" + encodeURIComponent($.getAntiForgeryToken()); }; $.postAntiForgery = function (url, data, callback, type) { return $.post(url, addToken(data), callback, type); }; $.ajaxAntiForgery = function (settings) { settings.data = addToken(settings.data); return $.ajax(settings); }; })(jQuery); Then in the application just replace $.post() invocation with $.postAntiForgery(), and replace $.ajax() instead of $.ajaxAntiForgery():$.postAntiForgery(url, { productName: "Tofu", categoryId: 1 }, callback); // Token is posted. This solution looks hard coded and stupid. If you have more elegant solution, please do tell me.

    Read the article

  • How to match ColdFusion encryption with Java 1.4.2?

    - by JohnTheBarber
    * sweet - thanks to Edward Smith for the CF Technote that indicated the key from ColdFusion was Base64 encoded. See generateKey() for the 'fix' My task is to use Java 1.4.2 to match the results a given ColdFusion code sample for encryption. Known/given values: A 24-byte key A 16-byte salt (IVorSalt) Encoding is Hex Encryption algorithm is AES/CBC/PKCS5Padding A sample clear-text value The encrypted value of the sample clear-text after going through the ColdFusion code Assumptions: Number of iterations not specified in the ColdFusion code so I assume only one iteration 24-byte key so I assume 192-bit encryption Given/working ColdFusion encryption code sample: <cfset ThisSalt = "16byte-salt-here"> <cfset ThisAlgorithm = "AES/CBC/PKCS5Padding"> <cfset ThisKey = "a-24byte-key-string-here"> <cfset thisAdjustedNow = now()> <cfset ThisDateTimeVar = DateFormat( thisAdjustedNow , "yyyymmdd" )> <cfset ThisDateTimeVar = ThisDateTimeVar & TimeFormat( thisAdjustedNow , "HHmmss" )> <cfset ThisTAID = ThisDateTimeVar & "|" & someOtherData> <cfset ThisTAIDEnc = Encrypt( ThisTAID , ThisKey , ThisAlgorithm , "Hex" , ThisSalt)> My Java 1.4.2 encryption/decryption code swag: package so.example; import java.security.*; import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.codec.binary.*; public class SO_AES192 { private static final String _AES = "AES"; private static final String _AES_CBC_PKCS5Padding = "AES/CBC/PKCS5Padding"; private static final String KEY_VALUE = "a-24byte-key-string-here"; private static final String SALT_VALUE = "16byte-salt-here"; private static final int ITERATIONS = 1; private static IvParameterSpec ivParameterSpec; public static String encryptHex(String value) throws Exception { Key key = generateKey(); Cipher c = Cipher.getInstance(_AES_CBC_PKCS5Padding); ivParameterSpec = new IvParameterSpec(SALT_VALUE.getBytes()); c.init(Cipher.ENCRYPT_MODE, key, ivParameterSpec); String valueToEncrypt = null; String eValue = value; for (int i = 0; i < ITERATIONS; i++) { // valueToEncrypt = SALT_VALUE + eValue; // pre-pend salt - Length > sample length valueToEncrypt = eValue; // don't pre-pend salt Length = sample length byte[] encValue = c.doFinal(valueToEncrypt.getBytes()); eValue = Hex.encodeHexString(encValue); } return eValue; } public static String decryptHex(String value) throws Exception { Key key = generateKey(); Cipher c = Cipher.getInstance(_AES_CBC_PKCS5Padding); ivParameterSpec = new IvParameterSpec(SALT_VALUE.getBytes()); c.init(Cipher.DECRYPT_MODE, key, ivParameterSpec); String dValue = null; char[] valueToDecrypt = value.toCharArray(); for (int i = 0; i < ITERATIONS; i++) { byte[] decordedValue = Hex.decodeHex(valueToDecrypt); byte[] decValue = c.doFinal(decordedValue); // dValue = new String(decValue).substring(SALT_VALUE.length()); // when salt is pre-pended dValue = new String(decValue); // when salt is not pre-pended valueToDecrypt = dValue.toCharArray(); } return dValue; } private static Key generateKey() throws Exception { // Key key = new SecretKeySpec(KEY_VALUE.getBytes(), _AES); // this was wrong Key key = new SecretKeySpec(new BASE64Decoder().decodeBuffer(keyValueString), _AES); // had to un-Base64 the 'known' 24-byte key. return key; } } I cannot create a matching encrypted value nor decrypt a given encrypted value. My guess is it's something to do with how I'm handling the initial vector/salt. I'm not very crypto-savvy but I'm thinking I should be able to take the sample clear-text and produce the same encrypted value in Java as ColdFusion produced. I am able to encrypt/decrypt my own data with my Java code (so I'm consistent) but I cannot match nor decrypt the ColdFusion sample encrypted value. I have access to a local webservice that can test the encrypted output. The given ColdFusion output sample passes/decrypts fine (of course). If I try to decrypt the same sample with my Java code (using the actual key and salt) I get a "Given final block not properly padded" error. I get the same net result when I pass my attempt at encryption (using the actual key and salt) to the test webservice. Any Ideas?

    Read the article

  • New Book: "Systems Performance: Enterprise and the Cloud"

    - by uwes
    Brendan Gregg, former Solaris kernel engineer at Sun published his new book "Systems Performance: Enterprise and the Cloud" in October. The book is a modern, very comprehensive guide to general system performance principles and practices, as well as a highly detailed reference for specific UNIX and Linux observability tools used to examine and diagnose operating system behaviour. Read a more detailed abstract and review on Harry J Foxwell's Blog entry "Brendan Gregg's "Systems Performance: Enterprise and the Cloud"

    Read the article

  • ATI (fglrx) Dual monitor / laptop hot-plugging

    - by Brendan Piater
    I feel like I've gone back 5 years on my desktop today. I'll try not dump to much frustration here... I been running 12.04 since alpha with the ATI open source drivers and the gnome 3 desktop. I been generally very happy with them with only small issues along the way. Now of course it does not support 3D acceleration 100%, so games like my newly purchased Amnesia from the Humble bundle would not play. OK, no worries, the ATI driver is in the repos so let me have a go I thought. With all this testing that's been done with multi-monitor support, what could go wrong...? How I use my computer: It's laptop, with a HD 3670 card in it. I spend about 50% of the time working directly on the laptop (at home) and about 50% of the time working with an additional display connected (at work), multi desktop environment. What happening now: installed drivers things seemed to working, save some small other bugs (not critical) this morning I take my machine and plug the additional monitor into it, and nothing happens... ok fine. open "displays" try configure dual display, won't work open ati config "thing" (cause it is a thing, a crap thing) and set-up monitors there reboot it says (oh ffs, really.... ok) reboot, login and wow, I got a gnome 2 desktop (presume gnome 3 fall back) and no multi-monitor...great. (screenshot: http://ubuntuone.com/5tFe3QNFsTSIGvUSVLsyL7 ) after getting into a situation where I had to Ctrl + Alt + Del to get out of a frozen display, I eventually manage to set-up a single display desktop on the "main" monitor ok.. time to go home... unplug monitor... nothing happens.. oh boy here we go... try displays again, nothing, just hangs the display.. great. crash all the apps and reboot... So it's been a trying day... What I really hope is that someone else has figured out how to avoid this PAIN. Please help with a solution that: allows me run fglrx (so I can run the games I want) allows me to hot-plug a monitor to my laptop and remove it again allows me to change the display so include the hot-plugged monitor (preferable automatically like it did with the open drivers) Next best if that's not possible: switch between laptop only display and monitor only display easily (i.e. not having to reboot/logout/suspened etc) Really appreciate the time of anyone that has a solution. Thanks in advance. Regards Brendan PS: I guess I should file a bug about this too, so some direction as to the best place to file this would be appreciated too.

    Read the article

  • salted passwords confusion

    - by Vasiliy Stavenko
    I'm setting up email server for the first time and confused with strange thing. I have several user accounts which stored in previous server. Passwords for this accounts are in plain text. But I want to create crypts for them. Mysql (where my users will be stored) have function encrypt(passwd, salt). If no salt given used random value. I discovered that courier uses one certain salt and crypted all passwords with it. So the task done. But I'd like to know if there's a way to define my own salt for my pop3 server?

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >