Stack Overflow
Stack Overflow

Questions tagged [secure-coding]

Topics related to coding patterns and best practices for avoiding common bugs and security holes.

Failure to adhere to secure coding practices may result in various classes of vulnerabilities such as buffer overflows, integer overflow or wraparound, command-injection, improper sanitation of data, and more. Requirements and best practices for secure coding will differ across programming languages. Manual code reviews and automated evaluation using tools for static or dynamic code analysis can help improve code quality and promote more secure coding.

211 questions
64
votes
8 answers

Which of sprintf/snprintf is more secure?

I wish to know which of these two options is the more secure one to use: #define MAXLEN 255 char buff[MAXLEN + 1] sprintf(buff, "%.*s", MAXLEN, name) snprintf(buff, MAXLEN, "%s", name) My understanding is that both are same. Please suggest.
Arpit
  • 4,259
  • 10
  • 38
  • 43
34
votes
2 answers

What is vulnerable about this C code?

#include #include #include #include #include int main(int argc, char **argv, char **envp) { gid_t gid; uid_t uid; gid = getegid(); uid = geteuid(); setresgid(gid, gid,…
quantumdisaster
  • 567
  • 2
  • 6
  • 12
25
votes
7 answers

how does one securely clear std::string?

How does one store sensitive data (ex: passwords) in std::string? I have an application which prompts the user for a password and passes it to a downstream server during connection setup. I want to securely clear the password value after the…
ajd.
  • 631
  • 1
  • 6
  • 8
19
votes
2 answers

Filtering upwards path traversal in Java (or Scala)

Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a file path API input from traversing upwards of a…
matanster
  • 15,072
  • 19
  • 88
  • 167
13
votes
3 answers

How to create a temporary file with portable shell in a secure way?

I want to create a temporary file in POSIX shell (/bin/sh). I found out that mktemp(1) doens't exist on my AIX box, and according to How portable is mktemp(1)?, it isn't that portable and/or secure anyway. So, what should I use instead ?
Steve Schnepp
  • 4,620
  • 5
  • 39
  • 54
12
votes
6 answers

Secure C++ coding practices

I am looking for a comprehensive record of secure coding practices in C++. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues…
Shinnok
  • 6,279
  • 6
  • 31
  • 44
10
votes
2 answers

How to secure database configuration file in project?

I have created on php file for establishing connection with database server. In this file, i am using mysql_connect() function with parameters host, username and password of my database server. public class DatabaseConnect { function…
Kalpana Dixit
  • 449
  • 3
  • 7
  • 19
9
votes
6 answers

checkmarx - How to resolve Stored Absolute Path Traversal issue?

Checkmarx - v 9.3.0 HF11 I am passing env value as data directory path in docker file which used in dev/uat server ENV DATA /app/data/ In local, using following Environment variable DATA=C:\projects\app\data\ getDataDirectory("MyDirectoryName"); //…
StackOverFlow
  • 4,486
  • 12
  • 52
  • 87
9
votes
1 answer

Facebook image URLs - how are they kept from un-authorised users?

I'm interested in social networks and have stumbled upon something which makes me curious. How does facebook keep people from playing with URLs and gaining access to photos they should not? Let me expand, here's an altered example of a facebook…
goose
  • 2,502
  • 6
  • 42
  • 69
7
votes
2 answers

Secure C coding practices

I am looking for a comprehensive record of secure coding practices in C. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues…
Shinnok
  • 6,279
  • 6
  • 31
  • 44
7
votes
2 answers

Veracode Insecure Temporary File error when using java.io.File.createTempFile

I need to create a temporary file and store some data into it. I have written the following code to do so: import org.apache.commons.lang.RandomStringUtils; import java.security.SecureRandom; [...] String random = RandomStringUtils.random(10, 0,…
D.PETIT
  • 161
  • 1
  • 4
7
votes
7 answers

How to correctly use malloc and free memory?

I am wondering what is the right/standard way to use malloc and free. Is it needed to set pointer NULL after free? Basically, which of the two following ways is correct? double* myPtr =…
Ono
  • 1,357
  • 3
  • 16
  • 38
7
votes
4 answers

android: validate the identity of intent sender

I work in a company that produces several apps, not all those apps have the same signature or more like it we have at least 5-6 apps certificates for the time being. We tried to create a mechanism in which all the companie's apps on the same device…
codeScriber
  • 4,582
  • 7
  • 38
  • 62
6
votes
1 answer

PHP Secure Session Login - Best Practice

As part of my web app. This is some code I am considering (I'm not the best of PHP programmers but I programming my own app for a project): // Start session session_start(); // Is the user already logged in? if (isset($_SESSION['username'])) { …
TheBlackBenzKid
  • 26,324
  • 41
  • 139
  • 209
6
votes
2 answers

Checkmarx Java fix for Log Forging -sanitizing user input

Can anyone suggest the proper sanitization/validation process required for the courseType variable in the following getCourses method. I am using that variable to write in a log file. I've tried HtmlUtils.HtmlEscape() but didn't get expected…
NPS
  • 71
  • 1
  • 2
  • 6
1
2 3
14 15