Great tips.
Although it's not directly relevant to what you're talking about in this video, I'd be a little careful about telling folks they can trust sessions blindly, as those can be hijacked in a variety of ways.
See: http://en.wikipedia.org/wiki/Session_hijacking
@Robort, good point! Thanks for bringing that up.
To clarify, in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.
Nice 'cast, as always :)
There's a blog about securing RoR applications, http://www.rorsecurity.info/ which covers a wide range of topcis (from security within rails to securing √MySQL installation). HTH :)
This is the best website on the entire planet.
Question:
Why is it that the percentage signs can not be arround the qustionmark in this statement but need to be in the second argument with the params[:query]?
Task.find(:all, :conditions=>["name LIKE ?", '%' + params[:query] + '%' ])
Thanks
Is there any reason Rails shouldn't just escape the "params" and "cookies" hashes, no matter where you put them in your code?
That would mean "escaping" the conditions hash as a whole, which might be harder than escaping each value one by one.
Seems like a good idea to me, just because stuff is easier to understand when written the insecure way - to me at least.
Thanks very much for the episodes and best wishse.
I learned a lot from here.
Here is a short informative post I wrote on SQL injections!
http://www.snailrails.com/2008/1/sql-injection
Great site - very useful - I love it. this episode rocks!
Now beachbody begin! <a href="http://www.p90x-buying.com">P90X Extreme Home Fitness</a> System is the best choice for yourself when you want to have a strong but healthy body, the best place to begin is online shoping. Many Internet sites-such as http://www.p90x-buying.com, have competitive pricing($59.99) and free shipping as well. Even with the shipping cost, you could end up paying less than you would in a local store.
Now beachbody begin! <a href="http://www.p90x-buying.com">P90X Extreme Home Fitness</a> System is the best choice for yourself when you want to have a strong but healthy body, the best place to begin is online shoping. Many Internet sites-such as http://www.p90x-buying.com, have competitive pricing($59.99) and free shipping as well. Even with the shipping cost, you could end up paying less than you would in a local store.
Now beachbody begin! [url=http://www.p90x-buying.com]P90X Extreme Home Fitness[/url] System is the best choice for yourself when you want to have a strong but healthy body, the best place to begin is online shoping. Many Internet sites-such as http://www.p90x-buying.com, have competitive pricing($59.99) and free shipping as well. Even with the shipping cost, you could end up paying less than you would in a local store.
Great site. This could probably have the refactoring tag added t it.
Thanks for sharing. i really appreciate it that you shared with us such a informative post..
Useful and nice episode! High quality low price.It's fit for you. Thanks MattR for sharing that. And thanks Ryan for this great screencast.
Thanks for sharing your article. I really enjoyed it. I put a link to my site to here so other people can read it. My readers have about the same interets
in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.
I agree with your Blog and I will be back to check it more in the future so please keep up your work. I love your content & the way that you write. It looks like you’ve been doing this for a while now, how long have you been blogging for?
on iTunes
