SQL Injection EXECUTE\EXEC\SP_EXECUTE : Code Review

This review is around the misue of EXECUTE\EXEC\SP_EXECUTE in stored procedures. To find the at risk stored procedures run the query below: SELECT DISTINCT o.name AS Object_Name, o.type_desc FROM sys.sql_modules m INNER JOIN sys.objects o ON m.object_id = o.object_id WHERE m.definition Like ‘%exec%’; Then scan the contents of anything returned. 95% will be eliminated with […]

Balancing User experience UX (usability) versus security

When designing a security system for a website, one of the consideration is user experience versus security. For instance displaying the following different error messages often leaks information file not found folder not found server error has occurred username not found email address not found As someone enters different urls then information about your website […]

Uploading and Storing Files Safely on a Website

Letting users upload files into a website is an area that requires careful management. Obviously there is a decision to be made around whether to store the file in a database or on the file system. Also the file should be virus scanned. Note that in business systems users can often upload files like pdf that […]

Mark Cookies as HTTPONLY

Marking your cookies as HTTPONLY will mean that JavaScript code running in most browsers cannot access a user’s cookies. This is important as if a hacker does manage to compromise your site and inject JavaScript it may be possible for the hacker to steal values of cookies (including security cookies). If HTTPONLY is set on the cookies […]