Tagged Questions

The tag has no wiki summary.

learn more… | top users | synonyms

93
votes
6answers
5k views

You're hired to fix a small bug for a security-intensive site. Looking at the code, it's filled with security holes. What do you do?

I've been hired by someone to do some small work on a site. It's a site for a large company. It contains very sensitive data, so security is very important. Upon analyzing the code, I've noticed it's ...
5
votes
1answer
338 views

Is there a database programming language with encapsulation to prevent the injections?

One of things that annoys me about SQL is that it can't think in terms of objects and it's lack of encapsulation makes me constantly have to escape commands to prevent injections. I want a database ...
6
votes
5answers
495 views

Are SQL Injection vulnerabilities in a PHP application acceptable if mod_security is enabled?

I've been asked to audit a PHP application. No framework, no router, no model. Pure PHP. Few shared functions. HTML, CSS, and JS all mixed together. I've discovered numerous places where SQL injection ...
11
votes
3answers
529 views

Is reliance on parametrized queries the only way to protect against SQL injection?

All I have seen on SQL injection attacks seems to suggest that parametrized queries, particularly ones in stored procedures, are the only way to protect against such attacks. While I was working (back ...
1
vote
2answers
415 views

SQL injection attacks, how do I test and secure coldfusion queiries?

I'm running Coldfusion 8 and SQL server 2008. I've been building serveral forms that insert data into the database from external users, we have a custom built security module built by the guy who ...
5
votes
7answers
297 views

How does one securely and privately address security concerns inside code

I recently finished a practicum for which I desperately need a recommendation from. However when I was working on the code for the public face web-portal I noticed many sql injection possibilities ...
12
votes
6answers
532 views

Discovered large security hole in someone elses website… What to do?

A chap I'm bidding to do some development for has a social network he wrote himself. Not the next facebook by any stretch. But a few thousand local users. I went to have a look at it to see what ...