knowledgebase sub-category

Clickjacking protection in IIS7

Configure IIS to prevent Clickjacking

Follow the steps to do this

  • Open Internet Information Services (IIS) Manager.
  • In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  • Double-click the HTTP Response Headers icon in the feature list in the middle.
  • In the Actions pane on the right side, click Add.
  • In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  • Click OK to save your changes.

Prevention of Web Page Caching – PHP


Add the following codes into the page, in order to prevent the page being cached

header('Cache-Control: no-cache, no-store, must-revalidate');
header('Pragma: no-cache'); 
header('Expires: 0');


Prevention of Web Page Caching – JAVA


Add the following codes into the page, in order to prevent the page being cached:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);


Prevention of Web Page Caching – ASP.NET


Add the following codes into the page, in order to prevent the page being cached:

Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate");
Response.AppendHeader("Pragma", "no-cache"); 
Response.AppendHeader("Expires", "0");


Setting Session Timeout – Apache

Method#1 In php.ini file

Add the following code in php.ini file

session.gc_maxlifetime = 1000;

Method#2 Using .htaccess

Add the following line in .htaccess

ini_set( 'session.gc_maxlifetime' , 1000);

Method#3 In httpd.conf file

Add the line in httpd.conf file

Timeout 1000

(The digit denotes the number of second)


Setting Session Timeout – ASP.NET

Method #1 in web.config 

Add the following codes in web.config (In this example it is the timeout set for 15 minutes.

    <sessionState timeout="15">

Method #2 in Global.asax

Add the following lines to  Session_Start event of Global.asax

void Session_Start(object sender, EventArgs e)
   Session.Timeout = 15;


Setting Session Timeout – Java


In servlet call getMaxInactiveInterval method with session object.

HttpSession session = request.getSession();

(In this example, session time out is set for 900 seconds.)


Set timeout through web.xml


(Here 10 minute is the time out .)


SQLi – PHP Secure Coding

Method #1
Escaping special characters in a string for use in an SQL statement

  $name = mysql_real_escape_string( $_POST[‘name’] );
  $pwd  = mysql_real_escape_string( $_POST[‘pwd’] );
  $str_sql = "SELECT * from `tbl_users` WHERE " .
             "usr_name=’" . $name . "’ AND " .
             "usr_pwd=’" . $pwd . "’";
  $result = mysql_query( $str_sql ) or die ( mysql_error() );

Method #2
Using prepared statements and parameterized queries:

Case #1
While connecting to database

  $pdo = new PDO('mysql:dbname=db;host=;charset=utf8', 'username', 'password');

  $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

Case #2
While retrieving data

  $stmt = $pdo->prepare('SELECT * FROM tables WHERE name = :name');
  $stmt->execute(array(':name' => $name));
  foreach ($stmt as $row) {
      echo $row[0];

Case #3
While inserting

   $preparedStatement = $pdo->prepare('INSERT INTO table (column) VALUES (:column)');
   $preparedStatement->execute(array(':column' => $unsafeValue));

This technique can also be applied in case of update and delete.


SQLi – ASP.NET Secure Coding

Using Paramaterized Query/Prepared Statement

The use of parameterized stored procedures is an effective mechanism to avoid most forms of SQL Injection. Parameterized queries do proper substitution of arguments prior to running the SQL query. They completely remove the possibility of “dirty” input changing the meaning of your query.

// Build the query statement using parameterized query.

string sql = "SELECT UserId FROM Users WHERE " + "UserName = @UserName AND Password =@Password";
using (SqlCommand cmd = new SqlCommand(sql))
    // Create the parameter objects as specific as possible.  
    cmd.Parameters.Add("@UserName", System.Data.SqlDbType.NVarChar, 50);   
    cmd.Parameters.Add("@Password", System.Data.SqlDbType.NVarChar, 25);
    // Add the parameter values.  Validation should have already happened. 
    cmd.Parameters["@UserName"].Value = UserName; 
    cmd.Parameters["@Password"].Value = Password;  
    cmd.Connection = connnection; 
       var userId = cmd.ExecuteScalar();   
    catch (SqlException sx)   
       // Handle exceptions before moving on. 


SQLi – JAVA Secure Coding

Use PreparedStatement instead of dynamic queries.

All data access techniques provide some means for escaping SQL meta-characters automatically.
Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.

String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();