Wednesday, August 20, 2008

SQL Injection for Hacking

Don't ever use string concatenation (or a StringBuilder) to create SQL commands.

An example is this:
string sql = "SELECT * FROM Products WHERE Category=" + cat;

There are a lot of reasons why not to do this:
1. Strings inside the command text needs to be enclosed between ' and '. You can have a problem when the value of cat contains a ' itself. You can avoid this by doubling all single quotes inside the cat string, but it still is not recommended.
2. SQL Injection attacks!!! Don't be tricked by this one, it's easy to avoid. Think of a string cat that contains the following value: 1;
DROP TABLE Products; ---- is the comment operator in T-SQL.
So, the resulting command is this:
SELECT * FROM Products WHERE Category=1; DROP TABLE Products; --
The result: the Products table is droppe. Thus, pretty simple to do if the cat value comes from the querystring or from a form input.

How to avoid this:
1. Always connect with the least privileges needed to do the job. Don't ever ever connect to the database as "sa" or another db owner with full access to the underlying database.
2. Don't use string concat, but use parameterized commands instead, like this:
string query = "SELECT * FROM Products WHERE Category=@Category";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("@Category", SqlDbType.NVarChar, 50);
cmd.Parameters["@Category"].Value = cat;
//...This will make sure the anomalities with quotes are solved for you, as well as avoid basic injections and perform checkings for the input length of the strings (+ type checking etc).
3. Even better, use a stored procedure with parameters on the server and call it using SqlCommand. The idea is the same, but the SQL command with params itself is stored on the server.
This allows better performance and even better security.

Happy Browsing!
Relax..

Thursday, August 7, 2008

Internet Explorer 8 Beta 1

IE 8 Beta Information

Internet Explorer 8 takes the Web experience beyond the page and introduces a new way to seamlessly experience the power of the Web whether you are a Web developer writing to standards, or an end user discovering a new online service. This beta release is available to everyone, but is primarily for Web developers and designers to test the new tools, layout engine, and programming enhancements.When not developing your web site, you can click the Emulate IE7 button in the command bar to browse the web like you did in IE7.
  • SYMPTOMS
    You may experience one of the following issues when you use the Beta 1 version of Microsoft Internet Explorer 8:
    Misaligned Web page layout
    Overlapping text or images
  • CAUSE
    These issues occur because Internet Explorer 8 Beta 1 displays Web pages using its latest "Standards mode" by default, whereas most current Web pages are created and tested to work with Internet Explorer 7 Standards mode.
  • RESOLUTION
    To resolve these issues, Web site owners and administrators can add a meta-tag that tells Internet Explorer 8 to display an entire site or a specific page like Internet Explorer 7. That is, the meta-tag causes Internet Explorer to render pages in either Internet Explorer 7 Standards (Strict) mode or in Internet Explorer 5 (Quirks) mode, based on the Doctype element declaration.Note Adding the Internet Explorer 7 compatibility tag should address most display issues. However, browser detection may also have to be updated on your site. To learn more, visit the following Microsoft Web site:
    http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/DevelopersExisting.htm (http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/DevelopersExisting.htm)

This article discusses a beta release of a Microsoft product. The information in this article is provided as-is in http://support.microsoft.com/kb/952030 .

Happy Browsing !
Relax