Hi, all. I am using Entity Framework and decided to do some dependency injection in order to make my functions more testable. This seemed to bring up a few questions that I found difficult to solve. I guess the difficult part is figuring out the best practice of doing this, rather. So, to cut it short, I'm using Moq for mocking up the context class and the datasets. The class looks something like this: public class Auth { private dbcontext _ctx; public Auth(dbcontext ctx) { _ctx = ctx; } public bool Authenticate(string usr, string psw) { var a = _ctx.accounts.Where( …

Member Avatar
+0 forum 0

I am beginning what appears to be the daunting task of securing all of my code from injections, XSS, etc. I have been reading about some of it and it is a bit overwhelming. I just wanted to come here and ask for experts' advice on the main things I should be concerned about specifically. There is so much on the Net about all of this I am not sure where to begin and I am sure I will miss something and leave at least one (if not multiple) vulnerabilities in my code, hence, allowing anyone access to my DB/tables. …

Member Avatar
Member Avatar
+0 forum 12

I love the idea of dependency injection. I started doing psuedo dependency injection on my own before I knew about DI because I was frustrated programming without it. I then discovered Guice. From a program design point of view, I like it a lot. Everything is much more decoupled and testable. But from a programming perspective, I absolutely hate it. First off, using generics (because of type erasure) is a nightmare. Creating factories for everything that has paramatized constructors (basically everthing) is almost painfull. When I have a generic factory... I sometimes just stop programming and give up. It's too …

Member Avatar
Member Avatar
+1 forum 2

I have 1 or actually 2 problems. I have 2 sites, the first one generates a table with avatar, coins, and name (which links to a more detailed view like this `/stats/user/?name=<dynamic name>`. It looks like this: <table> <thead> <tr> <th>#</th> <th>Points</th> <th>Name</th> </tr> </thead> <tbody> <?php error_reporting(E_ALL); define ( 'MYSQL_HOST', 'host' ); define ( 'MYSQL_BENUTZER', 'user' ); define ( 'MYSQL_KENNWORT', 'password' ); define ( 'MYSQL_DATENBANK', 'database' ); $db_link = mysqli_connect ( MYSQL_HOST, MYSQL_BENUTZER, MYSQL_KENNWORT, MYSQL_DATENBANK ); $sql = "SELECT * FROM pun ORDER BY CAST(`coins` AS SIGNED) DESC LIMIT 20"; $db_erg = mysqli_query( $db_link, $sql ); if ( ! …

Member Avatar
Member Avatar
+0 forum 1

Hello How do we call the attack that consists in inserting PHP/JavaScript codes within a remote website's pages ? Thank you

Member Avatar
Member Avatar
+0 forum 3

Good morning all I'm having a problem with injecting a class into the constructor of another class. I am creating an MVC framework, for learning purposes. In bootstrap.php, it loads the various classes needed, and also instantiates a few classes Code snippet for bootstrap.php below. <?php /** * file: /system/core/Bootstrap.php * System initialization begins here * Retrieve all essential files, and * instantiate classes */ // Start the autoloader require_once(__DIR__.'/../core/Autoload.php'); // Load files from /system/config $autoload->config( array('config', 'paths') ); // Load files from /system/core $autoload->core( array('router', 'template', 'loader', 'database', 'KW_Controller') ); // Load helper files from /system/helpers $autoload->helper( array('formatter', 'date', …

Member Avatar
Member Avatar
+0 forum 1

If someone can provide a link with the use of Parameters instead of concatenation

Member Avatar
Member Avatar
+0 forum 2

Greetings, I have a site that was created back when the dinosaours were around and of course there is a feedback form that wasn't secure and was generating spam via injections. I have implemented my typical measures; CAPTCHA, preg_match, trim, stripslashes, strip_tags, and even preg_replace. Still the spam continues. I have implemented the creation of a txt file to log each submit of the form with the idea of seeing what exactly is being injected to cause this. The problem is nothing is apparent in the log. The only obvious indication is that a drop down form field right after …

Member Avatar
Member Avatar
+0 forum 26

hello! i want to add 3rd party EXE into form. but problem is i think it almost impossible to change without using dll injection . before i was try several method but all failed. actually i was try with vb or vb.net because i almost don't know c++ but vb or vb.net have limitation so im come here to receive help. i was upload exe in here because file is 3mb so can't upload here thanks again! https://anonfiles.com/file/118113c4b294a223f66b85765749b14e

Member Avatar
Member Avatar
+0 forum 5

Hi Anyone can explain whats means with this vulnerability(Blind SQL Injection) and explain Attack details 1 and 2? 1. This vulnerability affects /xxxx/. Discovered by: Scripting (Blind_Sql_Injection.script). Attack details Path Fragment (suffix .html) input - was set to -1' or 61 = '59 2. This vulnerability affects /xxxx/. Discovered by: Scripting (Blind_Sql_Injection.script). Attack details Path Fragment (suffix .html) input /xxxx/ was set to -1 or 93 = 91 I appreciate your help

Member Avatar
Member Avatar
+0 forum 4

Just curious about your thoughts on this subject. **Example:** www.site.com/?id=1 or www.site.com/?id=8adyfa8df614812yasdf (which is also "1", but encrypted) What would you recommend? What do you use? Anyone with pros and/or cons on if you should encrypt your URL data? **My thoughts:** Pros (to encrypting URL data): - Makes it harder for unwanted people to guess ID's, and thus you will have a safer application. - Noone will have the real access keys to your data, as long as they don't know how you've encrypted the URL data. Cons: - Longer URL's. - Uglier URL's. - Need for extra security checking …

Member Avatar
Member Avatar
+1 forum 1

Having just found 'traits' - see http://www.daniweb.com/web-development/php/threads/468928/php-trait-method-conflicts-trait-inheritance#post2043565 I was wondering whether they could be used to share a DB connection object across disparate classes, or would the old singleton or dependency injection methods still be the way to go? I'd value any views on this.

Member Avatar
Member Avatar
+2 forum 2

Hi, Me again... Just wanted to know, i have this piece of code to enter the data from a registration form of mine into the user db. I want to use the mysql_real_escape_string to help stop those evil people who enjoys hacking from hacking my DB $query = "INSERT INTO userinformation (username, first_name, last_name, email, password, date_time) VALUES ('$username', '$first_name', '$last_name', '$email', '$password', '$date_time')"; could someone tell me where i need to put the mysql_real_escape_string function to stop it happening, i am not sure where i place it by or how i code it, thank you, genieuk

Member Avatar
Member Avatar
+0 forum 6

I have a snippet of mysql which is filled in with two variables: SELECT `download` FROM `images` WHERE `owner_un`='$owner' AND `url`='$url' The `$url` variable comes directly from a URL variable. This input should only ever contain alphanumeric characters, if this helps. Thanks for any help

Member Avatar
Member Avatar
+0 forum 3

A lot of questions in the VB.NET forum are database related. Most of the code that gets posted result in one or more comments like "use parameterized queries to avoid SQL injection attacks". I won't describe the nature of a SQL injection because it is easily looked up via google. There is a lengthy article at [Wikipedia](http://en.wikipedia.org/wiki/SQL_injection). What I will do here is give two examples of how to create queries using parameters. The first example uses SQLDB and the second uses OLEDB. The major difference between the two is that SQLDB uses named parameters while OLEDB uses positional parameters. …

Member Avatar
Member Avatar
+6 forum 13

Hi, I'm new to PHP and I want to know how to prevent SQL injection? Any php features can prevent the SQL injection?

Member Avatar
Member Avatar
+0 forum 4

Hi. i was wondering if somebody could help me. Im looking for a php function to check a get and post methods for any type of hack or injection i.e. xss php java html mysql injection. the function needs to check the get or post methods prior to using it and checking against the database. would be greatfull if somebody could give me an example on how to achieve this. Thanks

Member Avatar
Member Avatar
+0 forum 2

Hi there, I have recently been looking into encryption, for MySQL and php, to figure out someway to encrypt the information in the database, or more to the point before it goes in, or decrypted when it comes out. What I'd like to happen is for the info submitted from a form / request to be encrypted on the way in, then again when it is drawn out. I have used MySQL escape real string as a means to stopping unauthorised queries but I want to go one step further and encrypt the info as well. Any ideas on how …

Member Avatar
Member Avatar
+0 forum 2

I want to manually test my sites to check if they are secure against SQL injections. Whats a good way to attempt it. How do I get started? thank you

Member Avatar
Member Avatar
+0 forum 2

I've been looking to secure a site that has many queries involved. I've always known about mysql real escape string for a while but recently i ran across prepared statements. I had a few questions about them. Is it a good idea to use both? is this over kill? When should i use one but not the other? Any other protection coding techniques i should look into for my queries and variables?

Member Avatar
Member Avatar
+0 forum 3

I have the following PHP: [CODE]<?php define('DB_NAME', 'database'); define('DB_USER', 'root'); define('DB_PASSWORD', 'password'); define('DB_HOST', 'localhost'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if (!link){ die('Could not connect to database'); } $db_selected = mysql_select_db(DB_NAME, $link); if (!$db_selected) { die('Could not connect to the database'); } $value = htmlspecialchars($_POST['Name']); $value2 = htmlspecialchars($_POST['Email']); $value3 = htmlspecialchars($_POST['Subject']); $value4 = htmlspecialchars($_POST['Message']); $sql = "INSERT INTO Private_Message (Name, Email, Subject, Message) VALUES ('$value', '$value2', '$value3', '$value4')"; if (!mysql_query($sql)){ die('Could not connect to the database'); } mysql_close(); header( 'Location: contact.php' ) ; ?>[/CODE] and the following form: [CODE] <form action="Action.php" method="POST" /> <p>Name (any name you would like me to …

Member Avatar
Member Avatar
+0 forum 2

I am currently using MySQL so people can send my a message that shall be stored in the database. The only issue is I have no idea how to protect against SQL Injection, below is my HTML: [CODE]<form action="Action.php" method="POST" /> <p>Name: <input type="text" name="Name" /> </p> <p>Comment: <input type="text" name="Comment" /> </p> <p>Email: <input type="text" name="Email" /> </p> <input type="submit" value="SUBMIT" /> </form>[/CODE] And here is my PHP file: [CODE]<?php define('DB_NAME', 'Database'); define('DB_USER', 'root'); define('DB_PASSWORD', 'GP6G9gb5F5'); define('DB_HOST', 'localhost'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if (!$link) { die('Could not connect'); } $db_selected = mysql_select_db(DB_NAME, $link); if (!$db_selected){ die('Could not connect'); …

Member Avatar
Member Avatar
+0 forum 2

What is mysql injection and how is it done? Please help me with an example

Member Avatar
Member Avatar
-1 forum 2

I find for just numbers type_digit() works great combined with addslashes() but what about for a mixture, to prevent SQL injection?

Member Avatar
Member Avatar
+0 forum 19

I was just wondering if it can or not. Otherwise wouldn't this code work great for stopping SQL injection? [code=php] $some_post = addslashes($_POST['some_post']); if (!ctype_alnum($some_post)) { //error } else { //all good } [/code]

Member Avatar
Member Avatar
+0 forum 5

Good evening all, First of all, I've been curious about supposedly wrong things in the past. So let me clarify this first: I am in no way trying to hack some program, have malicious intent, or anything of that nature!! That being out of the way, the scenario is as follows: My job requires me to answer a whole lot of questions (working at a service desk). This happens by phone. Now, I have been lucky enough to be entered in a pilot-group to test a program running on my computer that a headset can operate. Long story short, I …

Member Avatar
Member Avatar
+0 forum 8

Dear all, I have using db operations such as insert,update,select,delete in my program .I have perform this operation using the prepared statement. How to avoid the sql injection in my java program.? *)I want to know functions to avoid the escape characters in java ? *)Did any one know what are ways to implement the sql injection in java? In php , We use addslashes, mysql_real_escape_string ,mysql_escape_string etc. Thanks in advance Thank you, With Regards, Prem

Member Avatar
Member Avatar
+0 forum 12

right now my php script is vulnerable to anyone putting in a random member_id into the url and having it excute sucessfully how can I encrypt the id="id#" in the url, so a guest is unable to type in there own id in the posted id retrieved through the url? [QUOTE]echo "<td><a href='perfectrecords.php?id=" . $row->id . "'>Edit</a></td>";[/QUOTE] [CODE]<?php function html_encode($var) { return htmlentities($var, ENT_QUOTES, 'UTF-8') ; } require_once('auth.php'); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>My interns</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> </head> <body> <h1> My Interns</h1> <p><b>View All</b> | <a href="../Copy/view-paginated.php">View Paginated</a></p> <?php // connect to the …

Member Avatar
Member Avatar
+0 forum 2

Asalam aliequm Friends Some one can solve my problem when i search any keyword from my site like " kids fashion dresses 2011" or "latest cars 2011" after sometime a another site open but its a data of my site its a problem of vbseo someone inject or whatever he does i want to get solution what to do my all links is on basis of vbseo i again install the xml file for solution but how to protect or what i have to do for security

Member Avatar
+0 forum 0

The End.