SQL Injection Attacks by Example A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation. So we'll do it in steps. A standalone query of
How to Dynamically Create Thumbnails In this week's screencast, I'll show you how to upload files and then have PHP dynamically create a thumbnail. Whether you're building an ecommerce site, or just a simple gallery, these techniques will absolutely prove to be useful. If you're ready for your "spoonfed" screencast of the week, let's get going! *Note - There have been a few slight changes to the code after some additional thinking and some great suggestions. Don't worry, very little has changed. The Simple Config File The first step is to create a simple config file where we can store a few variables. $final_width_of_image - This variable will store the width of our thumbnail. Save this file as 'config.php' and place it in the root of your folder. The HTML Next, create a new page called "index.php" and paste the following. First, scroll down a bit to the body tag. Any time that you're going to be working with the "file upload" input type, you need to add an "enctype" attribute to the form tag. Saving the File ImageCreateTrueColor
PHP security tips PHP is one of the most popular web programming languages today. The reason is it is easy to learn, and yet robust enough to successfully power even the most complicated applications. This has its downsides. PHP community is large and very open, and often beginners learn wrong things or nothing at all about PHP security. PHP is very “forgiving” language and many users do not think about securing their applications. Securing a web site is all about quality coding and using defense techniques wisely. Programmer must always be on alert and know form where the attack can come. NEVER trust user input I will repeat, never trust your users. When this gets executed, the query looks like this: As the ”=” is always true, this guy is logged in even if he does not know the password. My tip is to always escape user input before doing anything with it. This way, the input gets escaped and harmless, and this simple doing gets you secured from most of the SQL related attacks. XSS attacks Error reporting
PHP Security Cheat Sheet This page intends to provide basic PHP security tips for developers and administrators. Keep in mind that tips mentioned in this page may not be sufficient for securing your web application. PHP overview PHP is the most commonly used server-side programming language, with 81.8% of web servers deploying it, according to W3 Techs. An open source technology, PHP is unusual in that it is both a language and a web framework, with typical web framework features built-in to the latter. Like all web languages, there is also a large community of libraries etc. that contribute to the security (or otherwise) of programming in PHP. Serious issues abound in all aspects of PHP, making it difficult to write secure PHP applications. Language issues Weak typing PHP is weakly typed, which means that it will automatically convert data of an incorrect type into the expected type. Try to use functions and operators that do not do implicit type conversions (e.g. === and not ==). Exceptions and error handling
Database Normalization What is Normalization? Normalization is a database design technique which organizes tables in a manner that reduces redundancy and dependency of data. It divides larger tables to smaller tables and link them using relationships. In this tutorial, you will learn- The inventor of the relational model Edgar Codd proposed the theory of normalization with the introduction of First Normal Form and he continued to extend theory with Second and Third Normal Form. Later he joined with Raymond F. Theory of Data Normalization in Sql is still being developed further. Database Normalization Examples - Assume a video library maintains a database of movies rented out. Table 1 Here you see Movies Rented column has multiple values. Database Normal Forms Now let's move in to 1st Normal Forms 1NF (First Normal Form) Rules Each table cell should contain single value. The above table in 1NF- 1NF Exmple Table 1 : In 1NF Form Before we proceed lets understand a few things -- What is a KEY ? What is a primary Key? Summary
Free Online Tools for Looking Up Potentially Malicious Websites Several organizations offer free on-line tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real time to identify threats: AVG LinkScanner Drop Zone: Analyzes the URL in real time for threats BrightCloud URL/IP Lookup: Presents historical reputation data about the website Comodo Web Inspector: Examines the URL in real-time. Cisco SenderBase: Presents historical reputation data about the website Cyscon SIRT: Provides historical data for IP addresses, domains and ASNs. Any on-line tools that should be on this list, but are missing? My other lists of on-line security resources outline Automated Malware Analysis Services and Blocklists of Suspected Malicious IPs and URLs. Copyright © 1995-2013 Lenny Zeltser.
FlipJack | The most interesting button in the world The Problem Buttons are a critical part of the Web – they drive sales, confirm subscriptions, book flights and so much more. So why don’t they actually do anything? Most buttons on the Web are nothing more than static images that give no proactive feedback to the user. This lack of feedback has a negative effect on the user experience – for instance, how many times have you double-charged your credit card because it was unclear your transaction was being processed? If call-to-action buttons are so important, they should act that way - they should contain information and activity, all spring-loaded and ready to burst forth the moment you click them. Who It’s For FlipJack is for any site owner who wants to create a more compelling experience when it comes to the actions users take on their site. How It Works With FlipJack, we aim to improve the experience of taking action on a call to action by providing robust and real time feedback to the user. How do you make buttons interesting?
Sauce Labs: Selenium Testing & More Fly-To-Basket Effect With jQuery Krups Coffee Maker Keurig Cup Coffee Pro