Yes. The querystring is also encrypted with SSL. Nevertheless, as [this article][1] shows, it isn&#39;t a good idea to put sensitive information in the URL. For example:

&gt; URLs are stored in web server logs -
&gt; typically the whole URL of each
&gt; request is stored in a server log.
&gt; This means that any sensitive data in
&gt; the URL (e.g. a password) is being
&gt; saved in clear text on the server


  [1]: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

remember, SSL/TLS operates at the Transport Layer, so all the crypto goo happens under the application-layer HTTP stuff. 

http://en.wikipedia.org/wiki/File:IP_stack_connections.svg

that&#39;s the long way of saying, &quot;Yes!&quot;

The entire transmission, including the query string, the whole URL, and even the type of request (GET, POST, etc.) is encrypted when using HTTPS.

I disagree with the advice given here - even the reference for the accepted answer concludes:

&gt; You can of course use query string parameters with HTTPS, but don’t use them for anything 
&gt; that could present a security problem. For example, you could safely use them to identity
&gt; part numbers or types of display like ‘accountview’ or ‘printpage’, but don’t use them for
&gt; passwords, credit card numbers or other pieces of information that should not be publicly
&gt; available.

So, no they aren&#39;t really safe...!

I am trying to execute the following query:

    INSERT INTO table_listnames (name, address, tele)
    VALUES (&#39;Rupert&#39;, &#39;Somewhere&#39;, &#39;022&#39;)
    WHERE NOT EXISTS (
        SELECT name FROM table_listnames WHERE name=&#39;value&#39;
    );

But this returns an error. Basically I don&#39;t want to insert a record if the &#39;name&#39; field of the record already exists in another record - how to check if the new name is unique?

MySQL: Insert record if not exists in table

I&#39;ve been using `GROUP BY` for all types of aggregate queries over the years.  Recently, I&#39;ve been reverse-engineering some code that uses `PARTITION BY` to perform aggregations.  In reading through all the documentation I can find about `PARTITION BY`, it sounds a lot like `GROUP BY`, maybe with a little extra functionality added in?  Are they two versions of the same general functionality, or are they something different entirely?

SQL Server: Difference between PARTITION BY and GROUP BY

Do querystring parameters get encrypted in HTTPS when sent with a request?

Are querystring parameters secure in HTTPS (HTTP + SSL)? 

<p>Do querystring parameters get encrypted in HTTPS when sent with a request?</p>


I have noticed that there are strange requests to my website trying to find phpmyadmin, like

    /phpmyadmin/
    /pma/
etc.

Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it?

Thanks
___

**Update**

For Ubuntu 9.10 and Apache2, the corresponding setting is located in the file `/etc/apache2/conf.d/phpmyadmin.conf` which is a link to `/etc/phpmyadmin/apache.conf`. The file contains

    Alias /phpmyadmin /usr/share/phpmyadmin

where the first `/phpmyadmin` should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

    Alias /secret /usr/share/phpmyadmin

How to secure phpMyAdmin

I need to hash some passwords with salt on postgresql, and I haven&#39;t been able to find any relevant documentation on how to get that done.  

So how can I hash passwords (with some salts) in postgresql?

How can I hash passwords in postgresql?

How can I prevent XSS attacks in a JSP/Servlet web application?

XSS prevention in JSP/Servlet web application

Why does Google prepend `while(1);` to their (private) JSON responses?

For example, here&#39;s a response while turning a calendar on and off in [Google Calendar][1]:

```
while (1);
[
  [&#39;u&#39;, [
    [&#39;smsSentFlag&#39;, &#39;false&#39;],
    [&#39;hideInvitations&#39;, &#39;false&#39;],
    [&#39;remindOnRespondedEventsOnly&#39;, &#39;true&#39;],
    [&#39;hideInvitations_remindOnRespondedEventsOnly&#39;, &#39;false_true&#39;],
    [&#39;Calendar ID stripped for privacy&#39;, &#39;false&#39;],
    [&#39;smsVerifiedFlag&#39;, &#39;true&#39;]
  ]]
]
```

I would assume this is to prevent people from doing an `eval()` on it, but all you&#39;d really have to do is replace the `while` and then you&#39;d be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.

I&#39;ve seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, [Google Docs][2] starts with `&amp;&amp;&amp;START&amp;&amp;&amp;` instead, and Google Contacts seems to start with `while(1); &amp;&amp;&amp;START&amp;&amp;&amp;`.

What&#39;s going on here?

  [1]: https://calendar.google.com/calendar/about/
  [2]: https://www.google.com/docs/about/


Why does Google prepend while(1); to their JSON responses?

I am just starting to think about how api keys and secret keys work.  Just 2 days ago I signed up for Amazon S3 and installed the [S3Fox Plugin](http://www.s3fox.net/).  They asked me for both my Access Key and Secret Access Key, both of which require me to login to access.

So I&#39;m wondering, if they&#39;re asking me for my secret key, they must be storing it somewhere right?  Isn&#39;t that basically the same thing as asking me for my credit card numbers or password and storing that in their own database?

How are secret keys and api keys supposed to work?  How secret do they need to be?  Are these applications that use the secret keys storing it somehow?


How do API Keys and Secret Keys work? Would it be secure if I have to pass my API and secret keys to another application?

Recently posted a question regarding the `HttpClient` over Https ([found here][1]).  I&#39;ve made some headway, but I&#39;ve run into new issues. As with my last problem, I can&#39;t seem to find an example anywhere that works for me. Basically, I want my client to accept any certificate (because I&#39;m only ever pointing to one server) but I keep getting a `javax.net.ssl.SSLException: Not trusted server certificate exception.`

So this is what I have:

```java
    
    public void connect() throws A_WHOLE_BUNCH_OF_EXCEPTIONS {

        HttpPost post = new HttpPost(new URI(PROD_URL));
    	post.setEntity(new StringEntity(BODY));
 
    	KeyStore trusted = KeyStore.getInstance(&quot;BKS&quot;);
    	trusted.load(null, &quot;&quot;.toCharArray());
    	SSLSocketFactory sslf = new SSLSocketFactory(trusted);
        sslf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
	
    	SchemeRegistry schemeRegistry = new SchemeRegistry();
    	schemeRegistry.register(new Scheme (&quot;https&quot;, sslf, 443));
    	SingleClientConnManager cm = new SingleClientConnManager(post.getParams(),
                schemeRegistry);
		
    	HttpClient client = new DefaultHttpClient(cm, post.getParams());
    	HttpResponse result = client.execute(post);
    }
```

And here&#39;s the error I&#39;m getting:

```bash
    W/System.err(  901): javax.net.ssl.SSLException: Not trusted server certificate 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:360) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:92) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:321) 
    W/System.err(  901): 	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:129) 
    W/System.err(  901): 	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164) 
    W/System.err(  901): 	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119) 
    W/System.err(  901): 	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:348) 
    W/System.err(  901): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) 
    W/System.err(  901): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487) 
    W/System.err(  901): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity.connect(MainActivity.java:129) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity.access$0(MainActivity.java:77) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity$2.run(MainActivity.java:49) 
    W/System.err(  901): Caused by: java.security.cert.CertificateException: java.security.InvalidAlgorithmParameterException: the trust anchors set is empty 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:157) 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:355) 
    W/System.err(  901): 	... 12 more 
    W/System.err(  901): Caused by: java.security.InvalidAlgorithmParameterException: the trust anchors set is empty 
    W/System.err(  901): 	at java.security.cert.PKIXParameters.checkTrustAnchors(PKIXParameters.java:645) 
    W/System.err(  901): 	at java.security.cert.PKIXParameters.&lt;init&gt;(PKIXParameters.java:89) 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.&lt;init&gt;(TrustManagerImpl.java:89) 
    W/System.err(  901): 	at org.apache.harmony.xnet.provider.jsse.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:134) 
    W/System.err(  901): 	at javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:226)W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.createTrustManagers(SSLSocketFactory.java:263) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.&lt;init&gt;(SSLSocketFactory.java:190) 
    W/System.err(  901): 	at org.apache.http.conn.ssl.SSLSocketFactory.&lt;init&gt;(SSLSocketFactory.java:216) 
    W/System.err(  901): 	at me.harrisonlee.test.ssl.MainActivity.connect(MainActivity.java:107) 
    W/System.err(  901): 	... 2 more
```


  [1]: https://stackoverflow.com/questions/2603691/android-httpclient-and-https

Trusting all certificates using HttpClient over HTTPS

I have a question about HTTPS and HTTP Authentication credentials.

Suppose I secure a URL with HTTP Authentication:

    &lt;Directory /var/www/webcallback&gt;
    AuthType Basic
    AuthName &quot;Restricted Area&quot;
    AuthUserFile /var/www/passwd/passwords
    Require user gooduser
    &lt;/Directory&gt;

I then access that URL from a remote system via HTTPS, passing the credentials in the URL:

    https://gooduser:secretpassword@www.example.com/webcallback?foo=bar

Will the username and password be automatically SSL encrypted? Is the same true for GETs and POSTs? I&#39;m having a hard time locating a credible source with this information.

HTTP Basic Authentication credentials passed in URL and encryption

I am adding an external CSS file and an external JS file to my headers and footers.
When loading an HTTPS page, some browsers complain that I am loading unsecured content.

Is there an easy way to make the browser load the external content via HTTPS when the page itself is HTTPS?



How to Include CSS and JS files via HTTPS when needed?

If I was setting up a server, and had the SSL certificate(s), why wouldn&#39;t I use HTTPS for the entire site instead of just for purchases/logins? I would think it would make more sense just to encrypt the entire site, and protect the user entirely. It would prevent problems such as deciding what has to be secured because everything would be, and it&#39;s not really an inconvenience to the user.

If I was already using an HTTPS for part of the site, why wouldn&#39;t I want to use it for the entire site?

This is a related question: [https://stackoverflow.com/questions/1361531/why-is-https-only-used-for-login][1], but the answers are not satisfactory. The answers assume you&#39;ve not been able to apply https to the entire site.


  [1]: https://stackoverflow.com/questions/1361531/why-is-https-only-used-for-login

Why not use HTTPS for everything?

It looks like a standard question, but I couldn&#39;t find clear directions anywhere.

I have java code trying to connect to a server with probably self-signed (or expired) certificate. The code reports the following error :

    [HttpMethodDirector] I/O exception (javax.net.ssl.SSLHandshakeException) caught 
    when processing request: sun.security.validator.ValidatorException: PKIX path 
    building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
    unable to find valid certification path to requested target

As I understand it, I have to use [keytool][1] and tell java that it&#39;s OK to allow this connection. 

All instructions to fix this problem assume I&#39;m fully proficient with keytool, such as 

&gt; generate private key for server and import it into keystore

Is there anybody who could post detailed instructions?  

I&#39;m running unix, so bash script would be best.

Not sure if it&#39;s important, but code executed in jboss.

  [1]: http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

Accept server&#39;s self-signed ssl certificate in Java client

I have a HTTP GET request that I am attempting to send. I tried adding the parameters to this request by first creating a `BasicHttpParams` object and adding the parameters to that object, then calling `setParams( basicHttpParms )` on my `HttpGet` object. This method fails. But if I manually add my parameters to my URL (i.e. append `?param1=value1&amp;param2=value2`) it succeeds.

I know I&#39;m missing something here and any help would be greatly appreciated.

How to add parameters to a HTTP GET request in Android?

I can decorate an action either with the [AcceptVerbs(HttpVerbs.Post)]/[AcceptVerbs(HttpVerbs.Get)] 

    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult Create(string title)
    {
        // Do Something...
    }

or with the [HttpPost]/[HttpGet] attributes

    [HttpPost]
    public ActionResult Create(string title)
    {
        // Do Something...
    }

Are they different?



What is the difference between [AcceptVerbs(HttpVerbs.Post)] and [HttpPost]?

I have a set of resources whose representations are lazily created. The computation to construct these representations can take anywhere from a few milliseconds to a few hours, depending on server load, the specific resource, and the phase of the moon.

The first GET request received for the resource starts the computation on the server. If the computation completes within a few seconds, the computed representation is returned. Otherwise, a 202 &quot;Accepted&quot; status code is returned, and the client must poll the resource until the final representation is available.

The reason for this behavior is the following: If a result is available within a few seconds, it needs to be retrieved as soon as possible; otherwise, when it becomes available is not important.

Due to limited memory and the sheer volume of requests, neither NIO nor long polling is an option (*i.e.* I can&#39;t keep nearly enough connections open, nor even can I even fit all of the requests in memory; once &quot;a few seconds&quot; have passed, I persist the excess requests). Likewise, client limitations are such that they cannot handle a completion callback, instead. Finally, note I&#39;m not interested in creating a &quot;factory&quot; resource that one POSTs to, as the extra roundtrips mean we fail the piecewise realtime constraint more than is desired (moreover, it&#39;s extra complexity; also, this is a resource that would benefit from caching).

I imagine there is some controversy over returning a 202 &quot;Accepted&quot; status code in response to a GET request, seeing as I&#39;ve never seen it in practice, and its most intuitive use is in response to unsafe methods, but I&#39;ve never found anything specifically discouraging it. Moreover, am I not preserving both safety and idempotency?

So, what do folks think about this approach?

__EDIT__: I should mention this is for a so-called business web API--not for browsers.

Is it wrong to return 202 &quot;Accepted&quot; in response to HTTP GET?

When you GET

   https://encrypted.google.com/search?q=%s

Is the `%s` query encrypted? Or just the response?
If it is not, why should Google serve its public content also with encryption?


Is GET data also encrypted in HTTPS?

How can I do an HTTP GET from a Un*x shell script on a stock OS X system? (installing third-party software is not an option, for this has to run on a lot of different systems which I don&#39;t have control on).

For example if I start the Mercurial server locally doing a *hg serve*:

    ... $ hg serve 

And then, from a Linux that has the *wget* command I do a wget:


    ... $  wget http://127.0.0.1:8000
    --2010-12-31 22:18:25--  http://127.0.0.1:8000/
    Connecting to 127.0.0.1:8000... connected.
    HTTP request sent, awaiting response... 200 Script output follows
    Length: unspecified [text/html]
    Saving to: `index.html

And on the terminal in which I launched the *&quot;hg serve&quot;* command, I can indeed see that an HTTP GET made its way:

    127.0.0.1 - - [30/Dec/2010 22:18:17] &quot;GET / HTTP/1.0&quot; 200 -

So on Linux one way to do an HTTP GET from a shell script is to use *wget* (if that command is installed of course).

What other ways are there to do the equivalent of a *wget*?  I&#39;m looking, in particular, for something that would work on stock OS X installs.



Content Type	Original Author	Original Content on Stackoverflow
Question	Deep	View Question on Stackoverflow
Solution 1 - Security	Joe Ratzer	View Answer on Stackoverflow
Solution 2 - Security	Michael Howard-MSFT	View Answer on Stackoverflow
Solution 3 - Security	Marcelo Cantos	View Answer on Stackoverflow
Solution 4 - Security	Steve Winter	View Answer on Stackoverflow

Are querystring parameters secure in HTTPS (HTTP + SSL)?

Security Problem Overview

Security Solutions

Solution 1 - Security

Solution 2 - Security

Solution 3 - Security

Solution 4 - Security

SQL Server: Difference between PARTITION BY and GROUP BY

MySQL: Insert record if not exists in table

Attributions