Recent Comments
- John Linq on 加州的手機防竊提案讓失竊率下降不少...
- John Linq on 加州的手機防竊提案讓失竊率下降不少...
- 加州的手機防竊提案讓失竊率下降不少... | Gea-Suan Lin's BLOG on 加州的手機防竊提案...
- Gea-Suan Lin on 偵測 Chrome Headless
- othree on 偵測 Chrome Headless
Archives
- August 2017 (24)
- July 2017 (41)
- June 2017 (37)
- May 2017 (59)
- April 2017 (55)
- March 2017 (55)
- February 2017 (35)
- January 2017 (42)
- December 2016 (48)
- November 2016 (32)
- October 2016 (35)
- September 2016 (78)
- August 2016 (69)
- July 2016 (19)
- June 2016 (42)
- May 2016 (61)
- April 2016 (51)
- March 2016 (74)
- February 2016 (87)
- January 2016 (31)
- December 2015 (36)
- November 2015 (61)
- October 2015 (72)
- September 2015 (53)
- August 2015 (42)
- July 2015 (38)
- June 2015 (30)
- May 2015 (18)
- April 2015 (57)
- March 2015 (41)
- February 2015 (50)
- January 2015 (35)
- December 2014 (50)
- November 2014 (56)
- October 2014 (41)
- September 2014 (37)
- August 2014 (37)
- July 2014 (28)
- June 2014 (50)
- May 2014 (32)
- April 2014 (46)
- March 2014 (38)
- February 2014 (29)
- January 2014 (52)
- December 2013 (50)
- November 2013 (45)
- October 2013 (40)
- September 2013 (48)
- August 2013 (22)
- July 2013 (25)
- June 2013 (13)
- May 2013 (16)
- April 2013 (28)
- March 2013 (37)
- February 2013 (36)
- January 2013 (57)
- December 2012 (44)
- November 2012 (10)
- October 2012 (12)
- September 2012 (21)
- August 2012 (21)
- July 2012 (25)
- June 2012 (8)
- May 2012 (10)
- April 2012 (11)
- March 2012 (10)
- February 2012 (11)
- January 2012 (5)
- December 2011 (13)
- November 2011 (12)
- October 2011 (10)
- September 2011 (7)
- August 2011 (5)
- July 2011 (11)
- June 2011 (21)
- May 2011 (22)
- April 2011 (36)
- March 2011 (43)
- February 2011 (23)
- January 2011 (24)
- December 2010 (34)
- November 2010 (19)
- October 2010 (16)
- September 2010 (15)
- August 2010 (10)
- July 2010 (12)
- June 2010 (3)
- May 2010 (3)
- April 2010 (4)
- March 2010 (8)
- February 2010 (14)
- January 2010 (13)
- December 2009 (16)
- November 2009 (28)
- October 2009 (24)
- September 2009 (12)
- August 2009 (7)
- July 2009 (10)
- June 2009 (11)
- May 2009 (22)
- April 2009 (21)
- March 2009 (18)
- February 2009 (7)
- January 2009 (32)
- December 2008 (19)
- November 2008 (12)
- October 2008 (15)
- September 2008 (14)
- August 2008 (15)
- July 2008 (18)
- June 2008 (20)
- May 2008 (19)
- April 2008 (27)
- March 2008 (22)
- February 2008 (21)
- January 2008 (15)
- December 2007 (22)
- November 2007 (17)
- October 2007 (29)
- September 2007 (31)
- August 2007 (34)
- July 2007 (31)
- June 2007 (36)
- May 2007 (23)
- April 2007 (22)
- March 2007 (30)
- February 2007 (50)
- January 2007 (75)
- December 2006 (48)
- November 2006 (59)
- October 2006 (89)
- September 2006 (29)
- August 2006 (48)
- July 2006 (14)
- June 2006 (35)
- May 2006 (62)
- April 2006 (63)
- March 2006 (72)
- February 2006 (83)
- January 2006 (56)
- December 2005 (46)
- November 2005 (60)
- October 2005 (27)
- September 2005 (54)
- August 2005 (83)
Tags
Categories
- Anime (29)
- AWS (421)
- BBS (22)
- Blog (249)
- Book (31)
- Bridge (1)
- Browser (527)
- Cassandra (2)
- CDN (184)
- Cloud (564)
- CMS (58)
- Comic (19)
- Computer (4,459)
- Computer and Network Center (33)
- CSS (69)
- Database (421)
- DNS (127)
- Editor (25)
- Financial (89)
- Firefox (232)
- Food (14)
- FreeBSD (139)
- FTP (3)
- Game (61)
- GCP (4)
- Go (1)
- GoogleChrome (167)
- Hardware (385)
- IE (98)
- Joke (159)
- Lab (4)
- Library (4)
- Linux (174)
- MacOS (30)
- Mail (119)
- MariaDB (19)
- Movie (35)
- Murmuring (4,599)
- Music (49)
- MySQL (295)
- NCTU (65)
- NetBSD (7)
- Network (3,253)
- OpenBSD (8)
- Opera (26)
- OS (390)
- P2P (132)
- Photo (72)
- Political (124)
- PostgreSQL (41)
- Privacy (9)
- Programming (769)
- Recreation (534)
- RSS (79)
- Safari (38)
- Science (99)
- Search Engine (181)
- Security (1,050)
- Service (44)
- SMS (10)
- Social (218)
- Software (2,361)
- Spam (108)
- Sport (10)
- Telephone (117)
- Television (62)
- Usenet (15)
- Vim (14)
- VPN (19)
- Wiki (48)
- Windows (74)
- WWW (1,626)
Blogroll
Meta
Tag Archives: escape
常見搞爆系統的字串
Big List of Naughty Strings 是個測試用的列表,拿他來塞 input 看看系統會不會爆炸出現 500 之類的錯誤 XD 2015 年就有的專案,這幾天又上了 Hacker News 跟 reddit 於是又冒出來了...
cron 裡面的百分比符號 % 有特殊意義...
在試了一陣子後才發現的問題,crontab 裡的百分比符號 % 是特殊字元:「escaping double quotes and percent signs (%) in cron」。 取自 Debian 上的 crontab(5): Percent-signs (%) in the command, unless escaped with backslash (\), will be changed into newline characters, and all data after the first % will … Continue reading
Filter Input & Escape Output...
維基百科上有一篇「Secure input and output handling」說明要怎麼處理 input 與 output (對資安方面的說明)。標題的 Filter Input 與 Escape Output 是 Gasol 之前提到後才知道的名詞,以前只知道要 validate & escape,沒想過一個比較好記的念法... 這邊都以 PHP 為主,其他程式語言也應該會有對應的方式... Input 有很多管道,有可能是使用者或是 3rd party 廠商透過 Form 傳進來的資料 (在 PHP 裡可能是 $_GET 或是 $_POST),也有可能是 cookie 的資料 (因為使用者可以修改,所以視為不安全的資料)。從檔案讀資料進來 (可能是普通的文字檔,或是 … Continue reading
PHP 5.4 的 json_encode 增加 JSON_UNESCAPED_SLASHES...
剛剛翻資料發現 json_encode 奇怪的老問題總算有解... 這樣的程式碼: <?php echo json_encode("http://www.google.com/"), "\n"; 會輸出這樣的結果: "http:\/\/www.google.com\/" 這是合法的 JSON 沒錯 (JSON 規格允許 string 裡面使用 \/),但看起來就很不爽啊,明明 / 就是可以合法輸出的字元... 然後剛剛看到 PHP 5.4.0 加上這些東西: JSON_PRETTY_PRINT, JSON_UNESCAPED_SLASHES, and JSON_UNESCAPED_UNICODE options were added. 測了 JSON_UNESCAPED_SLASHES,看起來舒服多了: <?php echo json_encode("http://www.google.com/", JSON_UNESCAPED_SLASHES), "\n"; 輸出結果是: "http://www.google.com/"
網路安全歡樂記...
在 Twitter 上看到 John Resig 提到一串 reddit 上超歡樂的安全性議題: This thread on /r/PHP is just too good/scary to be true: http://t.co/KwLK37kk0l — John Resig (@jeresig) August 28, 2013 討論串在「Creating a user from the web problem.」這邊。不僅是 escape 的問題,還有給予 web server 過大的權限... 貼圖也很好笑啊 … Continue reading