The correct way to avoid SQL injection attacks, no matter which database you use, is to separate the data from SQL, so that data stays data and will never be interpreted as commands by the SQL parser. It is possible to create SQL statement with correctly formatted data parts, but if you don’t fully understand … Read more
The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. For certain obscure edge-cases. I’m adapting this answer to talk about PDO… The long answer isn’t so easy. It’s based off an attack demonstrated here. The Attack So, let’s start off by showing the attack… In certain circumstances, that will return more than … Read more
Policykit is a system daemon and policykit authentication agent is used to verify identity of the user before executing actions. The messages logged in /var/log/secure show that an authentication agent is registered when user logs in and it gets unregistered when user logs out. These messages are harmless and can be safely ignored.
A simple way of doing this is to use Password Based Encryption in Java. This allows you to encrypt and decrypt a text by using a password. This basically means initializing a javax.crypto.Cipher with algorithm “AES/CBC/PKCS5Padding” and getting a key from javax.crypto.SecretKeyFactory with the “PBKDF2WithHmacSHA512” algorithm. Here is a code example (updated to replace the less secure MD5-based variant): One problem remains: Where … Read more
A simple way of doing this is to use Password Based Encryption in Java. This allows you to encrypt and decrypt a text by using a password. This basically means initializing a javax.crypto.Cipher with algorithm “AES/CBC/PKCS5Padding” and getting a key from javax.crypto.SecretKeyFactory with the “PBKDF2WithHmacSHA512” algorithm. Here is a code example (updated to replace the … Read more
Does your cacerts.pem file hold a single certificate? Since it is a PEM, have a look at it (with a text editor), it should start with —–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—– Finally, to check it is not corrupted, get hold of openssl and print its details using openssl x509 -in cacerts.pem -text
Same-origin policy You can’t access an <iframe> with different origin using JavaScript, it would be a huge security flaw if you could do it. For the same-origin policy browsers block scripts trying to access a frame with a different origin. Origin is considered different if at least one of the following parts of the address isn’t maintained: protocol://hostname:port/… Protocol, hostname and … Read more
Tom Scott explains this in his YouTube video: http://a/%%30%30 is decoded as http://a/%00 because %30 is 0 http://a/%00 is then further decoded by another piece of code as http://a/<NULL> because %00 is the NULL character The bug was originally demonstrated by Andris Atteka who simply added a null character to the string.
What is the simplest way of doing two way encryption in common PHP installs? I need to be able to encrypt data with a string key, and use the same key to decrypt on the other end. The security isn’t as big of a concern as the portability of the code, so I’d like to … Read more
That’s probably everyone’s first thought. But it’s a little bit more difficult. See Chris Shiflett’s article SERVER_NAME Versus HTTP_HOST. It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME. So you either go with that or you check the host name against a white … Read more