Digicorp

What is SQL Injection?

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. This vulnerability is present when user input is manipulated for string literal escape characters embedded in SQL statements or user input is not sufficiently filtered and thereby unexpectedly executed.

How SQL Injection looks like?

Basic SQL Injections

If anybody want to pull up the records of particular user name from the user information table and if “username” variable is set as

X‘ OR ‘Y‘ = ‘Y

By inputting the above code as user name , Let see how’s it work at back end?

SELECT * FROM UserInformation WHERE UserName = ‘X’ OR ‘Y’ = ‘Y’

If we use this type of code were in an authentication procedure then this example could be used to force the selection of a valid “username” because the evaluation of ‘Y’='Y’ is always true and you will be logged in as the user on top of the SQL table.

Same way if the “username” variable is set as

X‘ OR 1 = 1 –-

If we use double dashes (–) than at the back end these dashes at the end tell the SQL server to ignore the rest of the query.

SELECT * FROM UserInformation WHERE UserName = ‘X’ OR 1 = 1 –-‘

Same way more SQL Injection syntaxes are:

‘) OR (‘1’ = ‘1

‘ OR ‘1’ = ‘1

‘ OR 1 = 1

“ OR “1”= “1

“ OR 1 = 1 –-

OR 1 = 1 –-

How can we get free from SQL Injection?

• Validate all input before using it.We can validate the input by this way.Reject the input that contains the following characters:

1. Single Quote(’)

2.  Dash ( – )

3.  /* and */

4. Semicolon ( ; )

• User parameterized input with stored procedures: Stored procedures may be susceptible to SQL injection if they use unfiltered input. So all the input provided to the stored Procedures is provided in the form of parameters

• Filtering input: Replace a Single Quote (‘) with two Single Quotes (‘’) to filter the input.

• Limit the database permission: Use a limited access account to connect to the database

• Don’t store secrets in plain text: Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

• Exceptions should divulge minimal information: Don’t expose too much information in error messages; display minimal information in the event of error handling.

Reference :

http://en.wikipedia.org/wiki/SQL_injection

http://www.secureworks.com/research/articles/sql-injection-attacks

MySQL’s full-text search functions provide a simple framework for an easily implemented, approximate site search. web-applications or desktop applications, written in an interpreted language and powered by MySQL, can use MySQL’s full-text search to avoid third party dependencies.

The basics

The basics of the MySQL full-text search functions are well-documented in the MySQL online documentation. For those lacking patience, here is a quick rundown.

Full-text searching is somewhat akin to a LIKE condition, but is much faster, requiring a FULLTEXT index to be created for the table columns targeted in the search. To search the title and description columns of a table, entries, the following statement would create the proper index:

ALTER TABLE entries ADD FULLTEXT(title, description)

To search these columns for the text, “python threading,” the MATCH...AGAINST functions are used:

SELECT id, MATCH(title, description) AGAINST ('python threading') AS score
FROM entries
ORDER BY score DESC

Notice that we keep the result of the match. The value returned is a float representing the relevance of the match. The higher the number, the more relevant the match.

There are several caveats to the full-text search. In particular, any words that are common between many entries are treated as noise and their relevance in any search is diminished. This means that were every article in entries to be about threading in Python, searching for “python threading” may not return extremely relevant results. Refer to the MySQL docs for more information.

The hard part

If the content to be searched is not conveniently located in one table, things get more complex. In this case, a method must be devised to create an intermediary table to contain the search target.

This might be accomplished with a cron script that aggregates the information nightly or using stored procedures to keep the target table updated.

Refining results

A common case is to weight the search to favor more recent results. Assuming that each entry has a DATETIME field named timestamp, this is easily accomplished by using the entry’s age to modify the score.

For an even reduction to the score based on the article’s age, divide the score by the age, which is determined with DATEDIFF(NOW(), timestamp).

(MATCH(title, description) AGAINST ('python threading'))/GREATEST(1, DATEDIFF(NOW(), timestamp))

Since DATEDIFF returns the difference in days, an entry written today could cause division by zero.
GREATEST means that entries written today and yesterday have equal weight, but prevents results from omitting today’s articles.

A quick test of this will show that results become wildly incorrect after a few days as the text match score begins to diminish further with age. This effect can be reduced by taking the LOG of the age, making the divisor increase less and less the greater the age.

LOG(GREATEST(1, DATEDIFF(NOW(), timestamp)))

The use of LOG causes a steep drop initially, smothing over time. For a less dramatic effect, substituting the square root causes a similar drop in the weight of the entry’s age over time, but diminishing less starkly over time and without the initial steep drop.

SQRT(GREATEST(1, DATEDIFF(NOW(), timestamp)))

The complete SQL statement is now:

SELECT id,
  (MATCH(title, description) AGAINST ('python threading'))/SQRT(GREATEST(1, DATEDIFF(NOW(), timestamp)))
  AS score
FROM entries
ORDER BY score DESC

At Digicorp, we have recently started code inspection process. It is too early to say that it is producing wonders but it does look promising in the long run.

We are inspired from the Fagan Inspection invented by Michael Fagan at IBM in mid 1970s. We do not follow the process completely but we have done changes according our environment.

Following presentation will give you more idea about the process:

We make it a point to involve newly recruited developers in the inspection process so they get an idea where experienced developers are also going wrong.

This way it becomes part of training for newly recruited developers.

So far we have had half a dozen code reviews and some of them were good, some of them were bad. But all the developers at the end looks satisfied with the result. Developers are not making it an ego issue so far.

What do you do at your company to do make your code better? Any suggestions to make this process better?

This is first of my experience regarding documenting an already developed project.

Let me first describe the situation which we are going through.

We have developed a system and before a couple of years and currently it is in a maintenance stage.

It is in use in the production for last 1 year. The project is developed in Visual Studio 2003. It is a purely Windows Based Application and developed in VB.Net. The database behind it is SQL Server 2000 and we are using ASP.Net Web Services as middle layer.

Now as the client is going through the inspection of the project, we are now to generate the documentation of the whole project.

Normally, this happens in many of the projects which I see around, typically in our part of world the developers are more inclined to do coding rather then do designing, documentation and planning and then actually doing coding.

Now in this situation, I would like to share with you what we have decided to develop as part of our documentation of the system which might help you at certain point of time in your project. The main part is we are not having enough time right now and we are in a real hurry.

We have decided to prepare the following documents.

1.    Database Dictionary
We have found out a very useful tool for generating database documentation. The tool is DBScribe. It is an excellent tool, it automatically generates all the documentation related to all the database objects from the database itself. Right now we are using the trial version in order to check the capabilities. Other nice thing about tool is it is automatically defining the dependencies between the database objects. It generates a chm and html document as output. We are trying to figure out how to insert some of the information in the tool. For example, how to add description of the table and how to add description of stored procedure parameters.

2.    Code Commenting
We are using the VB Commenter for generating comments in the code. We are to do two level of commenting in the code. Class level commenting and Procedure level commenting. Following are snippets of what we are going to put as comment in the code.

Class Level Commenting
”’<summary>
”’    [Name] FrontController
”’    [Description] Acts as the initial point of entry/exit into the system
”’                  and manages the handling of the request, including invoking security services such as authentication and authorization.
”’    [Reference]
”’ </summary>
”’——————————————————
”’ <remarks>
”’ </remarks>
”’——————————————————
”’ <history>
”’    <creation>
”’     [amita] [anokhi] 12 June 2007
”’    </creation>
”’    <modification>
”’    </modification>
”’ </history>
”’——————————————————

Procedure Level Commenting
”’<summary>
”’    [Name] AuthenticateRequest
”’    [Description] Validates UserID and Password and updates Database by Authenticating Login Request
”’    [Reference]
”’ </summary>
”’——————————————————
”’ <history>
”’    <creation>
”’     [amita] [anokhi] 12 June 2007
”’    </creation>
”’    <modification>
”’    </modification>
”’ </history>
”’——————————————————
”’  Algorithm
”’  Steps
”’  [1]   Get Current Context
”’  [2]   If Request is of Login from Home page then
”’  [3]   Retrieve User Id and Password
”’  [4]   If user ID exist in hastable then get its Users Object else goto [7]
”’  [5]   If Password is not Correct  then goto [7]
”’  [6]   Generate Ticket, identity and Principal
”’        Assign it in Context, User object (also in HashTable), Session, Database
”’  [7]   If Password or UserId is incorrect then set Users object as nothing and call Invalid Login
”’——————————————————

3.    Class Diagram
We are planning to convert our project which is in .Net 2003 to .Net 2005 and generate a class diagram from the IDE itself. Now here I am searching for some more sophisticated automatic class diagram generator tools as generating class diagram from this code manually will be a very time consuming and tedious work. Right now VS-2005 editor is giving some errors while I try to generate the class diagram and also I do not find those class diagrams very attractive.

4.    Database Relationship Diagram
This will be similar as what SQL Server generates. We will link up all the tables and then submit the diagram.

Can you suggest me some better and efficient ways of doing this?