PHP Security / SQL Security - Part 1
Posted on June 5, 2008 - Filed Under programming | Leave a Comment
Combining the above techniques to provide stripping of tags, escaping of special shell characters, entity-quoting of HTML and regular expression-based input validation, it is possible to construct secure web scripts with relatively …
Read More..>>Getting Started With CodeIgniter: Part 4 - Security
Posted on June 1, 2008 - Filed Under programming | Leave a Comment
array($this->input->post(’username’), $this->input->post(’password’)));. As you can see, the query() function has a little known optional second parameter of an array of variables to stick into the SQL. CI will automatically escape …
Read More..>>XSS Vulnerabilities in Common Shockwave Flash Files
Posted on May 30, 2008 - Filed Under security | Leave a Comment
Do not rely on the “escape()†function. Depending on the context, whitelist, URL encode, and/or HTML entity encode user input in “htmlText†fields Within your Flash applications, load supporting SWF files, images, and sounds from …
Read More..>>Protect Your Site and Your Users Against Cross-Site Scripting
Posted on May 28, 2008 - Filed Under security | Leave a Comment
These attacks rely on user input being returned back to the user with no modifications, and so they can easily be prevented by ensuring you escape all HTML entities before sending them back to the user. This means encoding characters …
Read More..>>EuroCUP 2008 presentation
Posted on May 12, 2008 - Filed Under filtering input | Leave a Comment
Because it’s used for key input filtering. The Javascript handler can “return false” to tell the browser to ignore a given key. It’s also complicated because things like “control-v” for “paste”, and “home” for “go to start of the input” …
Read More..>>Commonly Security Flaws with PHP Sites
Posted on May 9, 2008 - Filed Under programming | Leave a Comment
However, many programmers cut corners when it comes to the security of a web site. In this article, I’ll go over some of the security blunders that are commonplace with PHP programmers. Non-Validated User Input …
Read More..>>Easy attacks on your website:
Posted on May 8, 2008 - Filed Under security | Leave a Comment
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters …
Read More..>>wiki:plugins:security - Add some material on XSS
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
It is usually safer to parse the users input to check that they are only using the permitted attributes, rather than to try to parse out the prohibited attributes. This is often referred to as \”whitelisting\” the permitted things in …
See more here: wiki:plugins:security - Add some material on XSS
Hoogle 3 Security Bug
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
Enhanced security is one of the many advantages that Haskell offers. It is not possible to overrun a buffer and conduct stack smashing attacks on a Haskell program. Passing query strings will not overwrite global variables, and escaping …
View original here: Hoogle 3 Security Bug
[XSS Info] Re: all lowercase javascript without parenthesis
Posted on January 1, 1970 - Filed Under programming | Leave a Comment
The escape() method doesn\’t seem to work. i tried this and it didn\’t work: \’e setter=eval;u setter=unescape;e=u=\’%61%6c%65%72%74%28%27%58%53%53%27%29\’\’ I tried doubly escaping it and it didn\’t work, either: \’e setter=eval;u …
See the original post: [XSS Info] Re: all lowercase javascript without parenthesis