Search Results

Search found 1303 results on 53 pages for 'injection'.

Page 41/53 | < Previous Page | 37 38 39 40 41 42 43 44 45 46 47 48  | Next Page >

• Lexing partial SQL in C#

  - by Chris T

  I'd need to parse partial SQL queries (it's for a SQL injection auditing tool). For example '1' AND 1=1-- Should break down into tokens like [0] => [SQL_STRING, '1'] [1] => [SQL_AND] [2] => [SQL_INT, 1] [3] => [SQL_AND] [4] => [SQL_INT, 1] [5] => [SQL_COMMENT] [6] => [SQL_QUERY_END] Are their any at least lexers for SQL that I base mine off of or any good tools like bison for C# (though I'd rather not write my own grammar as I need to support most if not all the grammar of MySQL 5)

  Read the article

• How to efficiently SELECT rows from database table based on selected set of values

  - by Chau Chee Yang

  I have a transaction table of 1 million rows. The table has a field name "Code" to keep customer's ID. There are about 10,000 different customer code. I have an GUI interface allow user to render a report from transaction table. User may select arbitrary number of customers for rendering. I use IN operator first and it works for few customers: SELECT * FROM TRANS_TABLE WHERE CODE IN ('...', '...', '...') I quickly run into problem if I select few thousand customers. There is limitation using IN operator. An alternate way is create a temporary table with only one field of CODE, and inject selected customer codes into the temporary table using INSERT statement. I may then using SELECT A.* FROM TRANS_TABLE A INNER JOIN TEMP B ON (A.CODE=B.CODE) This works nice for huge selection. However, there is performance overhead for temporary table creation, INSERT injection and dropping of temporary table. Do you aware of better solution to handle this situation?

  Read the article

• What would you like to see in an beginner's ASP.NET security book

  - by blowdart

  This is a shameless information gathering exercise for my own book. One of the talks I give in the community is an introduction to web site vulnerabilities. Usually during the talk I can see at least two members of the audience go very pale; and this is basic stuff, Cross Site Scripting, SQL Injection, Information Leakage, Cross Site Form Requests and so on. So, if you can think back to being one, as a beginning web developer (be it ASP.NET or not) what do you feel would be useful information about web security and how to develop securely? I will already be covering the OWASP Top Ten (And yes this means stackoverflow will be in the acknowledgements list if someone comes up with something I haven't thought of yet!) It's all done now, and published, thank you all for your responses

  Read the article

• Separation of interfaces and implementation

  - by bonefisher

  From assembly(or module) perspective, what do you think of separation of Interface (1.assembly) and its Implementation (2.assembly)? In this way we can use some IoC container to develop more decoupling desing.. Say we have an assembly 'A', which contains interfaces only. Then we have an assembly 'B' which references 'A' and implements those interfaces..It is dependent only on 'A'. In assembly 'C' then we can use the IoC container to create objects of 'A' using dependency injection of objects from 'B'. This way 'B' and 'C' are completely unaware (not dependent) of themselves..

  Read the article

• Is it OK to reference 'this' when initializing a field?

  - by parxier

  Is it OK to reference this when initializing a field? public class MainClass { private SomeFieldClass field = new SomeFieldClass(this); public MainClass() {} } Or is it better to do that in constructor? public class MainClass { private SomeFieldClass field; public MainClass() { this.field = new SomeFieldClass(this); } } What is the best practice? I believe first option is better for unit testing and dependency injection. Are there any problems with it?

  Read the article

• How Can I Learn when to build my own Interfaces

  - by BDotA

  I am using C# and I know what are the interfaces and how syntatically use them,etc. but what I have not learned yet is that when I am tasked to write a project, create a component,... How should I learn better about interfaces so when I want to do something I be able to Think about using them in my design...or for example I want to learn about dependency injection or even using mocking objects for testing, these are all related to good understanding of interfaces and know when and how to use them ... Can you plase provide me some good advice, reading,... then can help me with that?

  Read the article

• Top techniques to avoid 'data scraping' from a website database

  - by Addsy

  I am setting up a site using PHP and MySQL that is essentially just a web front-end to an existing database. Understandably my client is very keen to prevent anyone from being able to make a copy of the data in the database yet at the same time wants everything publicly available and even a "view all" link to display every record in the db. Whilst I have put everything in place to prevent attacks such as SQL injection attacks, there is nothing to prevent anyone from viewing all the records as html and running some sort of script to parse this data back into another database. Even if I was to remove the "view all" link, someone could still, in theory, use an automated process to go through each record one by one and compile these into a new database, essentially pinching all the information. Does anyone have any good tactics for preventing or even just dettering this that they could share. Thanks

  Read the article

• Ninject: Abstract Class

  - by Pickels

  Hello, Do I need to do something different in an abstract class to get dependency injection working with Ninject? I have a base controller with the following code: public abstract class BaseController : Controller { public IAccountRepository AccountRepository { get; set; } } My module looks like this: public class WebDependencyModule : NinjectModule { public override void Load() { Bind<IAccountRepository>().To<AccountRepository>(); } } And this is my Global.asax: protected override void OnApplicationStarted() { Kernel.Load(new WebDependencyModule()); } protected override IKernel CreateKernel() { return new StandardKernel(); } It works when I decorate the IAccountRepository property with the [Inject] attribute. Thanks in advance.

  Read the article

• What risks are there in using extracted PHP superglobals?

  - by Zephiro

  Hola usando estas funciones, que riesgo corro en tener problemas de seguridad, es necesesario usar extract() o hay alguna manera mejor de convertir las variables superglobales (array) en trozos de variables. Good, there is some risk in using the function extract in the superglobal variables as $_POS and $_GET, I work of the following way. There is risk of SQL INJECTION or there is an alternative to extract if ( get_magic_quotes_gpc() ) { $_GET = stripslashes( $_GET ); $_POST =stripslashes( $_POST ); } function vars_globals($value = '') { if (is_array ( $value )) $r = &$value; else parse_str ( $value, $r ); return $r; } $r = vars_globals( $_GET ); extract($r, EXTR_SKIP);

  Read the article

• Stored Procedure with ALTER TABLE

  - by psayre23

  I have a need to sync auto_increment fields between two tables in different databases on the same MySQL server. The hope was to create a stored procedure where the permissions of the admin would let the web user run ALTER TABLE [db1].[table] AUTO_INCREMENT = [num]; without giving it permissions (That just smells of SQL injection). My problem is I'm receiving errors when creating the store procedure. Is this something that is not allowed by MySQL? DROP PROCEDURE IF EXISTS sync_auto_increment; CREATE PROCEDURE set_auto_increment (tableName VARCHAR(64), inc INT) BEGIN ALTER TABLE tableName AUTO_INCREMENT = inc; END;

  Read the article

• Learning SQL White hat Hacking

  - by user301751

  Well here goes a sligtly arwkward question, I have changed job roles from Network Admin to SQL Server DBA thus having to learn SQL server 2005. I am quite self motivated and have learned the basics of Transac and a little about Reporting services. The only thing is I need to set senarios as theres not much coming in at work in the way of SQL tasks. I have always kept my interest in networking by setting little "Hacking tasks", I have has a look at some crackme's but can find nothing to play with. I understand the SQL injection is some sort of SQL hack but found not much on the subject. I know my way of learning might be a bit different from others but it is all White Hat and keeps my interest. Thanks

  Read the article

• How can a hacker put a file on my server root (apache, php, 1and1)

  - by mike-sav

  Hi there, I have a site hosted on 1and1 and a couple of weeks ago I noticed a hacker had put a .php file on the server that when viewed in a browser exposed my DB schema, DB connection strings, FTP account (for file uploads using a form), etc, etc. Naturally I panicked and I wiped the server and reuploaded my files. Fortunatley I encrypt passwords using MD5 and I don't store things like credit card details, etc, etc. Now I checked my files and with all user input I use a clean function (htmlentities, sql_real_escape_string, etc, etc) that strips the input of any XSS or SQL injection. I have also made sure that the session key gets re-engineered when a user status changes (like they log into their account) to prevent session hijacking, my folder permissions are set to 755 and file permission are 644. Has anyone got any idea how this could have happened? Or if I'm missing something

  Read the article

• What is the sense of permiting the user to use no passwords longer than xx chars?

  - by reox

  Its more like a usability question or maybe database, or even maybe security (consider injection attacks) but what is the sense of permiting the user's password to a be not longer than xx chars? It does not make any sense to me, because longer passwords are mostly considered better and even harder to crack, and some users use password safes, so the password length should not matter. I understand that passwords with more than 20 chars are hardly to remember, but if you use diceware or password safe you dont have any problem with that. I really cant understand why there are sites that say "your password need to be between 5 and 8 chars"... also should the password saved as hash, so the length of the field in the database is fixed, so where is the problem? i think that most of the sites where the password is has to be a fixed length are not even using any hashing method...

  Read the article

• .Net 4.0 Is There a Business Layer "Technology" ?

  - by Ronny

  Hi, I have a theoretical question about the .net framework. As I see it Microsoft gave us bunch of technologies for different layers. We have the ADO.NET and with the more improved Entity Framework for Data Access. And ASP.NET for WEB UI. And even WCF for Facade and SOA. But what in the middle, what do we have for the Business Layer? Is it just Referenced DLLs? How do we deal with the Application Pulling this days? I remember using COM+ 10 yeas ago because the IIS couldn't handle the pressure. Is Spring.Net is the best option available for injection? Thanks, Ronny

  Read the article

• Java Spring 3.0 MVC Annotation vs COC. Whats the preferred method in the Java community?

  - by Athens

  I am using Spring's MVC framework for an application I'm hosting on Google's App Engine. So far, my controllers are registered via the @Controller annotation; however, prior to getting into Spring, I evaluated ASP.net MVC 2 which requires no configuration and is based on convention. Is convention over configuration (COC) the current and preferred method in the Java community to implement MVC with Spring. Also, this may be a result of my limited knowledge so far but i noticed that i could only instantiate my Controllers the required constuctor injection if i use the COC method via the ControllerClassNameHandlerMapping. For instance the following controller bean config will fail if i use the defaultannotationhandlermapping. <bean id="c" class="com.domain.TestController"> <constructor-arg ref="service" /> </bean> <bean id="service" class="com.domain.Service" /> My com.domain.TestController controller works fine if i use ControllerClassNameHandlerMapping/COC but it results in an error when i use defaultannotationhandlermapping/Annotations.

  Read the article

• Is php fileinfo sufficient to prevent upload of malicious files?

  - by Scarface

  Hey guys, I have searched around a bit, and have not really found a professional type response to how to have secure fileupload capability so I wanted to get the opinion of some of the experts on this site. I am currently allowing upload of mp3s and images, and while I am pretty confident in preventing xss and injection attacks on my site, I am not really familiar with fileupload security. I basically just use php fileinfo and check an array of accepted filetypes against the filetype. For images, there is the getimagesize function and some additional checks. As far as storing them, I just have a folder within my directory, because I want the users to be able to use the files. If anyone could give me some tips I would really appreciate it.

  Read the article

• Sticky Footers that move down when dynamic content gets loaded

  - by Dominic Rodger

  I've been using this snippet of jQuery to get a sticky footer: if($(document.body).height() < $(window).height()){ $("#footer").css({position: "absolute",top:($(window).scrollTop()+$(window).height()-$("#footer").height())+"px", width: "100%"}); } $(window).scroll(positionFooter).resize(positionFooter); However, that breaks when I've got expandable/collapsible divs lying around where the original content was less high than the window, since it is then stuck to the bottom of the window, rather than the bottom of the document. Is there a way of fixing this, or a better way of doing it? Please bear in mind that I don't have much control over the HTML, since I need to do this in Django's admin interface, which doesn't allow much injection of HTML in the places you might want to to accomplish this sort of thing (i.e. this answer and this answer don't work for me).

  Read the article

• PDO::ATTR_EMULATE_PREPARES => false

  - by user264058

  I'm new to php and PDO ,so i read this response to a similar post- Does PDO really not use prepared statements with mysql? Yes, by default (at least with version I tested) but native mode can be turned on manually. If not, can it be forced to do so By employing PDO::ATTR_EMULATE_PREPARES setting, the name is pretty self-explanatory. $dbh-setAttribute( PDO::ATTR_EMULATE_PREPARES, false ); should you do that? That's hardest question of them all. Well, I'd say - yes, you should. If you choose PDO as your db driver, there is no point in using it in the emulation mode. by YOUR COMMON SENSE Aren't prepared statements secure from SQL injection, why change if from 'true'-false?? what is native mode??

  Read the article

• Why is the EntityManager in my GAE + Spring (+graniteds) project reset to null?

  - by prefabSOFT

  Hi all, I'm having a problem with autowiring my EntityManager. Actually at server startup I can see that the injection works ok, though when trying to use my EntityManager it appears to be null again. @Component public class DataDaoImpl { protected EntityManager entityManager; @Autowired public void setEntityManager(EntityManager entityManager) { System.out.println("Injecting "+entityManager); //works! this.entityManager = entityManager; } public void createData(String key, String value) { System.out.println("In createData entityManager is "+entityManager); //entityManager null!? ... Output: Injecting org.datanucleus.store.appengine.jpa.DatastoreEntityManager@a60d19 The server is running at http://localhost:8888/ In createData entityManager is null So somehow the autowired entityManager is reset to null when trying to use it. It's a graniteds powered project though I don't think this is graniteds related. Any ideas? Thanks a lot in advance, Jochen

  Read the article

• performance of parameterized queries for different db's

  - by tuinstoel

  A lot of people know that it is important to use parameterized queries to prevent sql injection attacks. Parameterized queries are also much faster in sqlite and oracle when doing online transaction processing because the query optimizer doesn't have to reparse every parameterized sql statement before executing. I've seen sqlite becoming 3 times faster when you use parameterized queries, oracle can become 10 times faster when you use parameterized queries in some extreme cases with a lot of concurrency. How about other db's like mysql, ms sql, db2 and postgresql? Is there an equal difference in performance between parameterized queries and literal queries?

  Read the article

• How Do I Search Between a Date Rang Using the ActiveRecord Model?

  - by Russ Bradberry

  I am new to both Ruby and ActiveRecord. I currently have a need to modify and existing piece of code to add a date range in the select. The current piece goes like this: ReportsThirdparty.find(:all, :conditions => {:site_id=>site_id, :campaign_id=>campaign_id, :size_id=>size_id}) Now, I need to add a range, but I am not sure how to do the BETWEEN or >= or <= operators. I guess what I need is something similar to: ReportsThirdparty.find(:all, :conditions => {:site_id=>site_id, :campaign_id=>campaign_id, :size_id=>size_id, :row_date=>"BETWEEN #{start_date} AND #{end_date}") Even if this did work, I know that using interpolation here would leave me subject to SQL injection attacks.

  Read the article

• Ideas for building vulnerabilities into your site?

  - by Jaco Pretorius

  I'm trying to create a programming challenge that would require developers to hack into the MVC site I create. The idea is obviously to teach them about preventing these types of attacks. The current idea I have is to build multiple vulnerabilities into the site - but the second vulnerability would require the first to be completed, etc. So I was thinking the first could be a sql injection attack, the second would require a modified GET request, etc. Exploiting the final vulnerability would reveal a specific piece of information which is proof that you have completed the entire challenge. This will not be deployed on a public site - it's simply a learning tool for developers at my company. I'm not looking for MVC-specific vulnerabilities - I'm simply using MVC because it allows me to work with the 'raw' HTML. Any ideas on the different vulnerabilities I can use?

  Read the article

• Scaling Java applications - existing cluster-aware IoC frameworks?

  - by Zoltan

  Most people use some kind of an IoC framework - Guice, Spring, you name it. Many of us need to scale their applications too, so they complicate their lifes with Terracotta, Glassfish/JBoss/insertyourfavouritehere clusters. But is it really the way to go? Are you using any of the above? Here's some ideas we currently have implemented in a yet-to-be-opensourced framework, and I'd like to see what you think of it, or maybe "it's a complete ripoff of XY!". cluster-wide object replication - give it a name, and whenever you do something (in any node) on such an object, it will get replicated - with different guarantees do transparent soft-loadbalancing - simplest scenario: restful webservice method call proxied to an other node view-only node injection: inject a proxy to a "named" object, and get your calls automatically proxied to a node Would you use something like that? Is there a current, stable, enterprise-ready implementation out there?

  Read the article

• Passing parameters into ViewModels (Prism)

  - by vXtreme

  Hi I can't figure out how to pass parameters to my viewmodels from other views or viewmodels. For instance, I have a View called Customers. There is a grid inside, and if you double-click the grid, a new view is supposed to come up and allow you to edit that customer's data. But how will the View(Model) responsible for editing data know which customer it's supposed to open if I can't pass any parameters inside? EventAggregator is out of the question because I obviously can't create hundreds of eventargs, each for one view. And besides, it's a lousy solution. So far I was able to come up with: CustomerDataView custView = new CustomerDataView(customerId, currentContext); manager.Regions[RegionNames.Sidebar].AddAndActivate(custView); What do you think about this particular solution? Is this the way it's normally done? What I don't like about this is the fact that I lose out on automatic dependency injection by Unity.

  Read the article

• Why doesn't Microsoft release a 'proper' AJAX grid for ASP.Net

  - by Maxim Gershkovich

  Why doesn't Microsoft release a 'proper' AJAX grid for ASP.Net either as part of Visual Studio or the AJAX control toolkit? Has there been any discussion that anyone is aware of regarding this issue? Also does anyone have any open source suggestions for 'proper' AJAX gridviews? So far I have found one.... http://dotnetslackers.com/projects/AjaxDataControls/Default.aspx PS: By proper I mean a grid that actually uses XML responses rather than the nasty html javascript based injection that is the current nastyness of the gridview (EVEN IN VS 2010).

  Read the article

< Previous Page | 37 38 39 40 41 42 43 44 45 46 47 48  | Next Page >