secure-coding

How to create a temporary file with portable shell in a secure way?

三世轮回 提交于 2020-01-12 07:33:31
问题 I want to create a temporary file in POSIX shell ( /bin/sh ). I found out that mktemp(1) doens't exist on my AIX box, and according to How portable is mktemp(1)?, it isn't that portable and/or secure anyway. So, what should I use instead ? 回答1: Why not use /dev/random ? It could be neater with perl but od and awk will do, something like: tempfile=XXX-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') 回答2: You didn't exactly define "secure", but one element of it is probably to clean up

The Defined function “mysql_entities_fix_string” in PHP isn't getting called

你离开我真会死。 提交于 2020-01-06 01:46:33
问题 <?php require_once 'login.php'; require_once 'welcome.php'; $db_server = mysql_connect($db_hostname,$db_username,$db_password); if(!$db_server) die("Unable to connect with MySql : " . mysql_error()); mysql_select_db($db_database) or die("Unable to connect with db"); echo <<<_END <form action = 'ps.php' method = 'post'><pre> Enter your Username <input type = 'text' name = 'username'> Enter your Password <input type = 'text' name = 'password'> <input type = 'submit' value = 'Cl1ck M3'> </pre><

The Defined function “mysql_entities_fix_string” in PHP isn't getting called

感情迁移 提交于 2020-01-06 01:46:08
问题 <?php require_once 'login.php'; require_once 'welcome.php'; $db_server = mysql_connect($db_hostname,$db_username,$db_password); if(!$db_server) die("Unable to connect with MySql : " . mysql_error()); mysql_select_db($db_database) or die("Unable to connect with db"); echo <<<_END <form action = 'ps.php' method = 'post'><pre> Enter your Username <input type = 'text' name = 'username'> Enter your Password <input type = 'text' name = 'password'> <input type = 'submit' value = 'Cl1ck M3'> </pre><

Secure C++ coding practices

不想你离开。 提交于 2019-12-20 12:34:32
问题 I am looking for a comprehensive record of secure coding practices in C++. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc.. NB: Besides coding practices, secure libraries that defend

how does one securely clear std::string?

拟墨画扇 提交于 2019-12-17 09:41:56
问题 How does one store sensitive data (ex: passwords) in std::string ? I have an application which prompts the user for a password and passes it to a downstream server during connection setup. I want to securely clear the password value after the connection has been established. If I store the password as a char * array, I can use APIs like SecureZeroMemory to get rid of the sensitive data from the process memory. However, I want to avoid char arrays in my code and am looking for something

Looking for an security code IDE

人走茶凉 提交于 2019-12-14 04:12:36
问题 I need an IDE that will find problems in my code, those I have tried just don't do it good enough... Iv'e tried Eclipse and IntelliJ IDEA already. is there any good option? Thank you.. 回答1: My team recently released a public preview for DevSkim, an open-source IDE plugin that flags security issues as you type them. Think "spell-check for security bugs". It doesn't provide the same level of depth as "real" static analyzers (it's just using regular expressions), but we think it serves an

PHP Serialize Function - Adding serialized data to mysql and then fetch and display

北慕城南 提交于 2019-12-12 03:16:32
问题 I want to know whether the PHP serialize function is 100% secure, also if we store serialized data into a database and want to do something after fetching it, will it be a nice way. For example:- I have a website with different user privileges, now i want to store the permissions settings for a particular privilege to my database (This data i want to store is to be done through php serialize function), now when a user logs in i want to fetch this data and set the privilege for the customer.

snprintf vs std::stringstream

泄露秘密 提交于 2019-12-11 03:48:04
问题 I am working on removing SECURITY CODING violation in my product. My code has lot of sprintf , coverity tool is suggesting me to use snprintf , But C++ also has std::stringstream . Will it be a good idea to use std::stringstream in place of snprintf 回答1: std::stringstream is typesafe, use operator <<, use internal buffer, part of C++, not so fast as sprintf . sprintf is not typesafe, not use c++ operators, use external buffer, use elipsis, which can works only with POD types, inherited from C

Secure API Key Android

社会主义新天地 提交于 2019-12-10 13:58:06
问题 I am currently working on a project which uses Blogger API from Google. Day before yesterday (saturday) someone attacked my application and grab the API Key, My daily limit for accessing posts is 100,000 (100K/24 hrs). I hit limit on Saturday (I suspect that those were fraudulent clicks made using my API key, since I've only around 4K customers using the application, I embedded the API key in client side code ). After that, In five minutes API limit reached again (after 24 hrs) 5K. So I

Filtering upwards path traversal in Java (or Scala) [closed]

折月煮酒 提交于 2019-12-08 15:02:31
问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 4 years ago . Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a file path API input from traversing upwards of a given "root" path? I have a class that contains a root folder