When articles talk about parameterized queries stopping SQL attacks they don’t really explain why, it’s often a case of “It does, so don’t ask why” — possibly because they don’t know themselves. A sure sign of a bad educator is one that can’t admit they don’t know something. But I digress. When I say I … Read more
This is a little code that allows you to send message to a backgrounded application. To send the “A” char for example, simply call sendKeystroke(Keys.A), and don’t forget to use namespace System.windows.forms to be able to use the Keys object. using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Runtime.InteropServices; using System.Windows.Forms; namespace keybound { … Read more
Although windows supports shared memory through its file mapping API, you can’t easily inject a shared memory mapping into another process directly, as MapViewOfFileEx does not take a process argument. However, you can inject some data by allocating memory in another process using VirtualAllocEx and WriteProcessMemory. If you were to copy in a handle using … Read more
This “feature” can be disabled by sending the non-standard HTTP header X-XSS-Protection on the affected page. X-XSS-Protection: 0
You think that’s it? Check this out. Whatever approach you take, you definitely need to use a whitelist. It’s the only way to even come close to being safe about what you’re allowing on your site. EDIT: I’m not familiar with .NET, unfortunately, but you can check out stackoverflow’s own battle with XSS (https://blog.stackoverflow.com/2008/06/safe-html-and-xss/) and … Read more
mysql_real_escape_string used when insert into database htmlentities() used when outputting data into webpage htmlspecialchars() used when? strip_tags() used when? addslashes() used when? htmlspecialchars() used when? htmlspecialchars is roughly the same as htmlentities. The difference: character encodings. Both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode … Read more
Any query can be injected whether it’s read or write, persistent or transient. Injections can be performed by ending one query and running a separate one (possible with mysqli), which renders the intended query irrelevant. Any input to a query from an external source whether it is from users or even internal should be considered … Read more
First of all, public static non-final fields are evil. Spring does not allow injecting to such fields for a reason. Your workaround is valid, you don’t even need getter/setter, private field is enough. On the other hand try this: @Value(“${my.name}”) public void setPrivateName(String privateName) { Sample.name = privateName; } (works with @Autowired/@Resource). But to give … Read more