{|ihower.tw| blog }

• Published:November 21st, 2009
• Comments:No Comment
• Category:Rails, Security

In my Rails Best Practices slides, I only give simple code without any description (unless you heard my talk :p), so let me explain here.

my point is: “If you use RESTful design, you should NOT use default route.” Why?

For example:


map.resources :users
map.connect ':controller/:action/:id'
map.connect ':controller/:action/:id.:format'


You expect only “PUT /users/1″ will update user data, but because you keep default route, so “GET /users/update/1?user[email]=foobar@example.org” still works!!

In the same way, “GET /users/create” and “GET /users/destroy/1″ works too!! Even worse, the latter can create/update/destroy data without Request Forgery Protection :/ Rails does not check CRSF for HTTP GET.

Conclusion: Remove default route, use purely resource-based routes and named routes for special purpose.

• Published:January 22nd, 2006
• Comments:No Comment
• Category:PHP, Programming, Security

這禮拜把 PHP Security Guide ( http://phpsec.org/projects/ ) 看完了，還蠻不錯的一份文件。

最基本步驟 1.考量壞心的使用者 2.要自我教育安全知識 3.過濾所有來自外部的資料。以下小記幾個重點: Read more…

• Published:August 24th, 2005
• Comments:2 Comments
• Category:Security, WWW

http://gdataonline.com/seekhash.php

太恐怖了… 你可以試著把MD5丟進去…
如果可以被找出來反譯… 趕快換密碼吧!!~~