Building dedicated codepad in PHP
I am author of growing framework, which is focused around User Interface building in PHP. Essential requirements for the up-coming website redesign is ability to run code examples. I am willing to extend this option to add-on authors which would mean other people will be able to execute code on my server.
Name for sanitizing at the right time?
Recently we had an issue on our site where someone attempted SQL injection via a cookie (we’ll call it lastID). NOC was in a frenzy and angry about how the cookie as an attack vector could be ignored. They had a developer create a class for managing cookies that will sanitize lastID (and eventually other cookies) to check that it is numeric.
Is the use of security conditionals in a view a violation of MVC?
Often what’s displayed to a user (e.g. on a web page) will be based partly on security checks. I usually consider user-level / ACL security to be part of the business logic of a system. If a view explicitly checks security to conditionally display UI elements, is it violating MVC by containing business logic?
should F12’s request headers show session id as cookie?
I’m trying to educate myself on potential web attacks. I just found a site (which will rename anonymous) where it shows me what looks to be like the php session id inside the cookies section of the request header.
My immediate reaction was “wow, that’s bad”… but then i couldn’t really come up with a scenario as to how someone could use this to mess up the site.
But maybe its because I’m a newbie to this stuff.
But assuming that I got someone else’s session id… I’d have to hack the site with their session id before it expires right?
Reveal detailed license-errors?
So after one has programmed and integrated a licensing solution into his or her application, how should one deal with licensing errors?
Online compilers and repls – not one big security hole?
There are plenty of compilers and REPL services on the web. For example: Fay ide.
Online compilers and repls – not one big security hole?
There are plenty of compilers and REPL services on the web. For example: Fay ide.
Hardware key removal on a test system
One of my company’s applications still requires a hardware key to run, but we’re currently in the process of removing that requirement and replacing it with an online check. The issue we are having is that we allow our customers to set up test systems with copies of their live databases. With the hardware keys, that isn’t a problem as they get a special key that tells the software it is a test, but we’re trying to figure a way to do this with a software only check. Our only idea so far is to check the hardware against a registered list in the database, but before we implement this, I want to ask how others have solved similar problems?
Is it wise to include something like OpenSSL or GnuTLS with a project in a repository?
I am currently working on a project that makes use of the OpenSSL library for secure communications. Since this library is a requirement for building the project, I am considering including it in the project’s repository. Here are the pros and cons as I see them:
Committing https certificates to Github…is there ever a good reason for this?
If a server certificate is published to Github, a la: