Search Results

Search found 1303 results on 53 pages for 'injection'.

Page 9/53 | < Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >

  • Are the ASP.net __EVENTTARGET and __EVENTARGUMENT susceptible to SQL injection?

    - by Schleichermann
    A security review was done against one of our ASP.net applications and returned in the test results was a SQL Injection Exposures considered to be a high risk item. The test that was performed passed a SQL statement as the value of the __EVENTTARGET and the __EVENTARGUMENT. I am wondering since these 2 values are ASP.net auto-generated hidden fields used for the Auto-Postback feature of the framework and hold information specific to the controls initiating the postback, is there really the potential for SQL injection if you are never manually calling and or pulling values out of these parameters in your code behind?

    Read the article

  • Are there any differences between SQL Server and MySQL when it comes to preventing SQL injection?

    - by Derek Adair
    I am used to developing in PHP/MySQL and have no experience developing with SQL Server. I've skimmed over the PHP MSSQL documentation and it looks similar to MySQLi in some of the methods I read about. For example, with MySQL I utilize the function mysql_real_excape_string(). Is there a similar function with PHP/SQL Server? What steps do I need to take in order to protect against SQL injection with SQL Server? What are the differences between SQL Server and MySQL pertaining to SQL injection prevention? also - is this post accurate? is the escape string character for SQL Server a single quote?

    Read the article

  • Are there any differences between MSSQL and MySQL when it comes to preventing SQL injection?

    - by Derek Adair
    I am used to developing in PHP/MySQL and have no experience developing with MSSQL. I've skimmed over the PHP MSSQL documentation and it looks similar to MySQLi in some of the methods I read about. For example, with MySQL I utilize the function mysql_real_excape_string(). Is there a similar function with PHP/MSSQL? What steps do I need to take in order to protect against SQL injection with MSSQL? What are the differences between MSSQL and MySQL pertaining to SQL injection prevention?

    Read the article

  • Is there any injection vunerability in the body of an email?

    - by Brett
    Hey guys..... AFAIK there is only a vulnerability within the HEADERS of an email when using user data correct? I am using the below function to sanitize my data, however I have some textarea fields on the page & hence these may contain linebreaks.. so was wondering if that user data is only going to be put in the body of the email, can it not bother with being sanitized - apart from stripping html of course? Here is the function: function is_injected($str) { $injections = array('(\n+)', '(\r+)', '(\t+)', '(%0A+)', '(%0D+)', '(%08+)', '(%09+)' ); $inject = join('|', $injections); $inject = "/$inject/i"; if (preg_match($inject,$str)) { return true; } else { return false; } } As a side note, surprised there wasn't currently a tag for mail-injection / email-injection. Thanks!

    Read the article

  • Dependency Injection Introduction

    - by MarkPearl
    I recently was going over a great book called “Dependency Injection in .Net” by Mark Seeman. So far I have really enjoyed the book and would recommend anyone looking to get into DI to give it a read. Today I thought I would blog about the first example Mark gives in his book to illustrate some of the benefits that DI provides. The ones he lists are Late binding Extensibility Parallel Development Maintainability Testability To illustrate some of these benefits he gives a HelloWorld example using DI that illustrates some of the basic principles. It goes something like this… class Program { static void Main(string[] args) { var writer = new ConsoleMessageWriter(); var salutation = new Salutation(writer); salutation.Exclaim(); Console.ReadLine(); } } public interface IMessageWriter { void Write(string message); } public class ConsoleMessageWriter : IMessageWriter { public void Write(string message) { Console.WriteLine(message); } } public class Salutation { private readonly IMessageWriter _writer; public Salutation(IMessageWriter writer) { _writer = writer; } public void Exclaim() { _writer.Write("Hello World"); } }   If you had asked me a few years ago if I had thought this was a good approach to solving the HelloWorld problem I would have resounded “No”. How could the above be better than the following…. class Program { static void Main(string[] args) { Console.WriteLine("Hello World"); Console.ReadLine(); } }  Today, my mind-set has changed because of the pain of past programs. So often we can look at a small snippet of code and make judgements when we need to keep in mind that we will most probably be implementing these patterns in projects with hundreds of thousands of lines of code and in projects that we have tests that we don’t want to break and that’s where the first solution outshines the latter. Let’s see if the first example achieves some of the outcomes that were listed as benefits of DI. Could I test the first solution easily? Yes… We could write something like the following using NUnit and RhinoMocks… [TestFixture] public class SalutationTests { [Test] public void ExclaimWillWriteCorrectMessageToMessageWriter() { var writerMock = MockRepository.GenerateMock<IMessageWriter>(); var sut = new Salutation(writerMock); sut.Exclaim(); writerMock.AssertWasCalled(x => x.Write("Hello World")); } }   This would test the existing code fine. Let’s say we then wanted to extend the original solution so that we had a secure message writer. We could write a class like the following… public class SecureMessageWriter : IMessageWriter { private readonly IMessageWriter _writer; private readonly string _secretPassword; public SecureMessageWriter(IMessageWriter writer, string secretPassword) { _writer = writer; _secretPassword = secretPassword; } public void Write(string message) { if (_secretPassword == "Mark") { _writer.Write(message); } else { _writer.Write("Unauthenticated"); } } }   And then extend our implementation of the program as follows… class Program { static void Main(string[] args) { var writer = new SecureMessageWriter(new ConsoleMessageWriter(), "Mark"); var salutation = new Salutation(writer); salutation.Exclaim(); Console.ReadLine(); } }   Our application has now been successfully extended and yet we did very little code change. In addition, our existing tests did not break and we would just need add tests for the extended functionality. Would this approach allow parallel development? Well, I am in two camps on parallel development but with some planning ahead of time it would allow for it as you would simply need to decide on the interface signature and could then have teams develop different sections programming to that interface. So,this was really just a quick intro to some of the basic concepts of DI that Mark introduces very successfully in his book. I am hoping to blog about this further as I continue through the book to list some of the more complex implementations of containers.

    Read the article

  • How should be test with phpunit for xss + sql injection?

    - by Yosef
    Hi, How should be test with phpunit php web application for xss + sql injection? I thinking to find program that output xss+ other attacks to test my application forms. This program/service should be all time updated with new xss and other new attacks. Does such service/program exist, if not how it done today? Please give some examples if you can. (I use php 5.3 + zend framework + mysql) Thanks, Yosef

    Read the article

  • Must Dependency Injection come at the expense of Encapsulation?

    - by urig
    If I understand correctly, the typical mechanism for Dependency Injection is to inject either through a class' constructor or through a public property (member) of the class. This exposes the dependency being injected and violates the OOP principle of encapsulation. Am I correct in identifying this tradeoff? How do you deal with this issue? Please also see my answer to my own question below.

    Read the article

  • Avoiding SQL Injection in SQL query with Like Operator using parameters?

    - by MikeJ
    Taking over some code from my predecessor and I found a query that uses the Like operator: SELECT * FROM suppliers WHERE supplier_name like '%'+name+%'; Trying to avoid SQL Injection problem and parameterize this but I am not quite sure how this would be accomplished. Any suggestions ? note, I need a solution for classic ADO.NET - I don't really have the go-ahead to switch this code over to something like LINQ.

    Read the article

  • Projects with browsable source using dependency injection w/ guice?

    - by André
    I often read about dependency injection and I did research on google and I understand in theory what it can do and how it works, but I'd like to see an actual code base using it (Java/guice would be preferred). Can anyone point me to an open source project, where I can see, how it's really used? I think browsing the code and seeing the whole setup shows me more than the ususal snippets in the introduction articles you find around the web. Thanks in advance!

    Read the article

  • Database Activity Monitoring Part 2 - SQL Injection Attacks

    If you think through the web sites you visit on a daily basis the chances are that you will need to login to verify who you are. In most cases your username would be stored in a relational database along with all the other registered users on that web site. Hopefully your password will be encrypted and not stored in plain text.

    Read the article

  • WordPress injection?

    - by saul
    I don't really know how to express my problem, so bear with me. This is a bit hard to explain. I have a Wordpress installation, the latest, and often (once a day) my site redirects users to the /wp-admin/install.php file. Asking for my login credentials of course. I have tried reinstalling WordPress and still have not been able to figure what they are doing. That happens regularly. Also, a few hours later, I am able to see my site normally. Hope this makes sense. I suspect there myst be some database DoS that allows them to inject a redirect of some sort into my admin area, thus redirecting the user to said directory (install.php). But that's just me. I really have no clue what else could they be doing. I looked at the source code from several php files and noted some of them don't include a ? tag. Could that be an issue? My hosting company is iPage, I've contacted them and they say there's nothing wrong with my files. Anyone have a clue? I can paste the code to any source file.

    Read the article

  • Wp-count Malware Injection [closed]

    - by Amar Ryder
    I received a malware notification from Google Webmaster tools yesterday for my blog which is running on Wordpress. After going through website I found that there is a file called wp-count.php creating malware code. I tried to delete that but it reappears again and again so I have erased coding inside. Now its there without coding but still I think it may be any other codes which are effect my website. How can I fix it?

    Read the article

  • Castle Windsor Dependency Injection with MVC4

    - by Renso
    Problem:Installed MVC4 on my local and ran a MVC3 app and got an error where Castle Windsor was unable to resolve any controllers' constructor injections. It failed with "No component for supporting the service....".As soon as I uninstall MVC4 beta, the problem vanishes like magic?!I also tried to upgrade to NHibernate 3 and Castle and Castle Windsor to version 3 (from version 2), but since I use Rhino Commons, that is not possible as the Rhino Commons project looks like is no longer supported and requests to upgrade it to work with NHibernate version 3 two years ago has gone unanswered. The problem is that Rhino Commons (the older version) references a method in Castle version 2 that has been depreciated in version 3: "CreateContainer("windsor.boo")' threw an exception of type 'System.MissingMethodException."Hope this helps anyone else who runs into this issue. Btw I used NuGet package manager to install the correct packages so I know that is not the issue.

    Read the article

  • Database Context and Singleton injection with IoC

    - by zaitsman
    All of the below relates to a ASP.NET c# app. I have a Singleton Settings MemoryCache that reads values from database on first access and caches these, then invalidates them using SQL Service Broker message and re-reads as required. For the purposes of standard controllers, i create my Db Context in a request scope. However, this obviously means that i can't use the same context in the Settings Cache class, since that is a singleton and we have a scope collision. At the moment, i ended up with two db contexts - the Controllers get it via IoC container, whereas a Singleton just creates it's own. However, i am not satisfied with this approach (mostly due to the way i feel about two contexts, the cache doesn't set anything on the db hence concurrency is not an issue as much). What is a better way to do it?

    Read the article

  • Is this sufficient to prevent query injection while using SQL Server?

    - by Derek Adair
    Hi, I have recently taken on a project in which I need to integrate with PHP/SQL Server. I am looking for the quickest and easiest function to prevent SQL injection on SQL Server as I prefer MySQL and do not anticipate many more SQL Server related projects. Is this function sufficient? $someVal = mssql_escape($_POST['someVal']); $query = "INSERT INTO tblName SET field = $someVal"; mssql_execute($query); function mssql_escape($str) { return str_replace("'", "''", $str); } If not, what additional steps should I take?

    Read the article

  • Login code sample which has been hacked via SQL Injection, although mysql_real_escape_string...

    - by artmania
    Hi friends, I use CodeIgniter, and having trouble with hacking :( is it possible to make SQL Injection to the login code below: function process_login() { $username = mysql_real_escape_string($this->input->post('username')); $password = mysql_real_escape_string(MD5($this->input->post('password'))); //Check user table $query = $this->db->getwhere('users', array('username'=>$username, 'password'=>$password)); if ($query->num_rows() > 0) { // success login data Am I using the mysql_real_escape_string wrong? or what? Appreciate helps!

    Read the article

  • C# dependency injection - how to you inject a dependency without source?

    - by Phil Harris
    Hi, I am trying to get started with some simple dependency injection using C# and i've run up against an issue that I can't seem to come up with an answer for. I have a class that was written by another department for which I don't have the source in my project. I wanted to inject an object of this type though a constructor using an interface, but of course, i can't change the injected objects implementation to implement the interface to achieve polymorphism when casting the object to the interface type. Every academic example I have ever seen of this technique has the classes uses classes which are declared in the project itself. How would I go about injecting my dependency without the source being available in the project? I hope that makes sense, thanks.

    Read the article

  • Are PDO prepared statements sufficient to prevent SQL injection?

    - by Mark Biek
    Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) ); The PDO documentation says The parameters to prepared statements don't need to be quoted; the driver handles it for you. Is that truly all I need to do to avoid SQL injections? Is it really that easy? You can assume MySQL if it makes a difference. Also, I'm really only curious about the use of prepared statements against SQL injection. In this context, I don't care about XSS or other possible vulnerabilities.

    Read the article

  • C# - Copy dlls to the exe output directory when using dependency injection with no references?

    - by NotDan
    I have a C# solution that I am using dependency injection to resolve references between dlls. I have an exe project and some other dll projects that are not referenced by the exe (It uses the dlls through the IoC container). The project settings are the default, visual studio settings where it builds each dll in it's own folder. Since the exe doesn't reference the dlls, they never get copied to the output directory of the exe and don't get found by the IoC framework. How do you handle this? Do you build them all in the same directory? Use post build copy commands? Or something else?

    Read the article

  • What is the business case for a dependency injection (DI) framework?

    - by kalkie
    At my company we want to start using a dependency injection (DI) framework for managing our dependencies. I have some difficulty with explaining the business value of such a framework. Currently I have come up with these reasons. Less source code, delete all the builder patterns in the code. Increase in flexibility. Easier to switch dependencies. Better separation of concern. The framework is responsible for creating instances instead of our code. Has anybody else had to persuade management? How did you do that? What reasons did you use?

    Read the article

< Previous Page | 5 6 7 8 9 10 11 12 13 14 15 16  | Next Page >