Tagged Questions

102
votes
7answers
6k views

You're hired to fix a small bug for a security-intensive site. Looking at the code, it's filled with security holes. What do you do?

I've been hired by someone to do some small work on a site. It's a site for a large company. It contains very sensitive data, so security is very important. Upon analyzing the code, I've noticed it's ...
3
votes
2answers
315 views

I need advice developing a sensitive data transfer/storage/encryption system

I got closed on SO and told to post this here as it's about general application design as opposed to specific code. Intro I'm currently working on a project which involves the daily extraction of ...
3
votes
1answer
155 views

Building dedicated codepad in PHP

I am author of growing framework, which is focused around User Interface building in PHP. Essential requirements for the up-coming website redesign is ability to run code examples. I am willing to ...
2
votes
2answers
233 views

Is having sensitive data in a PHP script secure?

I've heard that PHP is somewhat secure because Apache won't allow the download of raw PHP. Is this reliable, though? For example, if you wanted to password protect something, but didn't want to create ...
0
votes
2answers
236 views

Is using dirname(__FILE__) a good practice?

Looking at the code of Joomla I see that in the first line of the index, it defines the base path of installation with dirname(__FILE__). Is this a possible risk for the site? If a non controlled ...
2
votes
1answer
179 views

Does the deprecation of mysql_* functions in PHP carry over to other Databases(MSSQL)?

I'm not talking about MySQL, I'm talking about Microsoft SQL Server I've been aware of PDO for quite some time now, standard mysql functions are dangerous and should be avoided. ...
4
votes
1answer
198 views

CSRF Protection with codeigniter

I have very little knowledge in application security. I have often seen to protect your application from csrf attacks developers use tokens and pass these tokens with request to validate. I want to ...
0
votes
5answers
318 views

Standards & compliances for secure web application development?

I am working with developers right now that write code the way they want and when i tell them to do it other way they respond that its just matter of preference how to do it and they have their way ...
-1
votes
1answer
223 views

Best Method/Library For Remote Authentication [closed]

I have a web app that has a REST API interface: http://api.example.com/core that uses API Keys and domain specific keys (key has to be used on the specified domain). I then will have several client ...
1
vote
2answers
293 views

Provide a URL to a CouchDB document attachment without giving the username/password?

I posted this question on DBA, but it got closed and was never reopened even after I rewrote the whole thing to be more specific. I think its more appropriate for programmers anyway :) Background ...
0
votes
3answers
269 views

API access question

FIRST, THE SCENARIO We have an internal system that is effectively split into 2 very separate parts across 2 sub-domains, our back-end administrative system for internal access only we will call this ...
1
vote
1answer
252 views

Is there somewhere I can post code used to hack my site? [closed]

I left a bit of a door open recently on my site. Someone tried to post PHP code to a CMS page editing module, but it wasn't executed. I have this code and was wondering if there is somewhere I should ...
1
vote
2answers
387 views

How to do a login page for third party service without letting them sign on?

We have a unique situation (at least for me, first time seeing this). We have a web form where accountants can fill in requests and that part is taken care of. But after their login we redirect them ...
2
votes
4answers
485 views

Advice on making sure e-commerce site is secure using PHP and MySQL

Like the title says, I would like some advice from knowledgable web developers on figuring out security issues for my e-commerce site. I am designing the database as well as the code that ...
1
vote
2answers
607 views

Are sessions secure for captcha on failed login?

I don't like writing open-ended questions but I have a quick security question. I have a PHP login script that shows a CAPTCHA on the third failed login attempts. The way I'm counting failed logins is ...
2
votes
2answers
498 views

which input sanitization function is better?

apparently, some of our websites have been hacked by a hack bot. The reason: bad input sanitzation. Our boss is giving us this file to put on all our servers to secure them: ...
2
votes
2answers
488 views

multi-language system and security with php

Firstly sorry for my English. I'm coding new site. İt's like StackExchange, a social site and a blog. Whatever, I try to create multilanguage, however I can't decide how to do it. I have to use ...
15
votes
5answers
3k views

What best practices should be employed in a PHP login script?

I am wanting to re-write my login scripts for clients websites to make them more secure. I want to know what best practices I can implement into this. Password protected control panels are in their ...
15
votes
10answers
2k views

What attributes of PHP make it insecure? [closed]

It's well known and discussed that PHP has a poor history with relation to security. Is it not a secure language, or are there other reasons for this (such as developer error)? If PHP is truly ...
13
votes
7answers
1k views

stackoverflow induced passivity - how to cope?

After not really working on my pet project for a while, I discovered Stackoverflow and upon perusing it more intensely I was quite amazed. I'm a bit of a perfectionist, so when I found eye-openers ...