Tag: guru

Prevent SQL Injections

Prevent SQL Injections

sql injections
sql injections

Preventing SQL injections is pretty easy once you know what you are doing. Some of you who are new to databases might think about character substitutions, character escaping, or just outright banning of certain characters; but, those options are laborious and not nearly as simple or elegant. Instead, we can use a technique called SQL Parameterization. It’s a fancy word for a straightforward process. For this guide, I’ll be referencing a database titled Movies.

To explain it simply, what we are going to do is use a “?” in place of inserting our value. We then have our value tied to the “?” which will then be interpreted as a string literal. Since it is being handled as a string literal and is being kept from interpretation, this keeps us from having our databases deleted, stolen, or used in unforeseen ways.

The setup looks like this:

// Instead of this.
$updateComm = "SELECT title FROM Movies WHERE id = '" . $ID . "'";

// We have this.
$updateComm = "SELECT title FROM Movies WHERE id = ?";

Again, the question mark is like a reference marker/bind point. Our data gets tied to it and is never interpreted. We next do a prepare statement that’ll allow us to bind values. The first way we can do this is by binding the values to the field individually.

Let’s take a look:

// We first setup a command with the properly inserted question marks.
$updateComm = "UPDATE Movies SET title = ?, link = ?, date = ? WHERE id = ?";
 
// We then set it up for preparation.
$updateStatement = $db->prepare( $updateComm );

// We then insert to the bind points.
// Note: They are in order of appearance in the command. 
//       This is why we bind to title first and then links, etc.
//       Keep this in mind when setting up commands.
//       Also, we don't start at zero but one.
$updateStatement->bindValue( 1, "I, Robot", PDO::PARAM_STR );
$updateStatement->bindValue( 2, "LINK", PDO::PARAM_STR );
$updateStatement->bindValue( 3, "July 7, 2004", PDO::PARAM_STR );
$updateStatement->bindValue( 4, 666999, PDO::PARAM_INT );
 
// We then execute the command which is properly set up.
$updateStatement->execute();

The second option is to just pass the arguments as an array without individual binding. Note once more that it is all based on order of the question marks.

$updateComm = "UPDATE Movies SET title = ?, link = ?, date = ? WHERE id = ?";
 
// We then set it up for preparation.
$updateStatement = $db->prepare( $updateComm );

// Then, just pass parameters as an array to the execute method.
$updateStatement->execute( array( "I, Robot", "LINK", "July 7, 2004", 666999) );

In both cases, everything is properly sanitized for you and you don’t have to worry about rogue single quotes or DROP TABLE commands getting through. You’re done! Easy right? At this point, all you have to do is look up your language and how to do the above steps and implement them for secure database interactions. Look at Rosetta Code for how other languages setup parameterization. In addition, if you’ve read any of my other articles, pick a project like my PHP7, SQLite3, and Ajax Tutorial to practice this on in addition to learning other skills and techniques.

W3C Killed Web Security

W3C Killed Web Security

W3C Logo
W3C Logo

It’s a sad day folks…. The W3C killed web security by accepting DRM without having a caveat that protects against DMCA’s (Digital Millennium Copyright Act) unreasonable reach. Security researchers are out; hackers are in. While I am sure that most users believe that companies and creators have the right to protect their IP (Intellectual Property), I am also sure they believe in having strong security and a reasonable right to use their purchased product in whatever manner they see fit. With the web, it was a last bastion that held to those principles. It was killed both brutally and without much compunction by W3C and its corporate backers in a vain attempt to stem the tide of piracy and illegal copying.

Let’s be clear here for a moment about the current problem. I don’t have an issue with DRM. I don’t agree with it all the time but neither do I disagree with it all the time. No, the issue is with DMCA and it’s unreasonable reach in trying and failing to protect DRM. There are two sections in the DMCA that are of great interest. The core section I am referring to is Section 1201: Circumvention of copyright protection systems.

Section 1201 affects the web and all technologies the most and is why it is a sad day for the internet. The EFF letter to W3C addresses some of the concerns regarding Section 1201 in its implementation in web technologies.
Here are some of the critical points they made when hoping W3C would add a pretext for accepting DRM standards.

“This covenant would allow the W3C’s large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C’s DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM….
More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.”

There is the crux of the issue and why W3C should have had clear stipulations for implementing DRM into web technologies. There really isn’t anything protecting the user and their right to circumvent DRM when it is not infringing the patent holder or IP source. Security experts are now in a quasi grey area where their work is to determine vulnerabilities but they are violating DMCA. This helps no one but the bad guys and that is just sad in the day and age where billions of users need strong security the most.

In addition, we don’t know who did and didn’t vote in favor of the implementation of a DRM standard. The votes are secret and that should disturb us even more than the terrible overreach of DMCA’s rules. It is worth noting that W3C’s member votes aren’t always public and by default one must opt-in for public disclosure of said vote. For an organization that affects our lives, to not have public disclosure of votes by default and as enforced practice is egregious. We all know why this is the case though. Companies don’t want to look like the bad guys even when they are. So they hide in anonymity as we all are left to hang by their terrible decisions. We can make some guesses as to who voted for the standardization but don’t know who else are their accomplices. Essentially, a private group gets to affect our lives without us holding them accountable. In addition, their votes wont stop piracy or illegal copying. So all in all, they hurt themselves as well as us with nothing to show for it but the further stripping of our rights.

While it all looks bad, there are bright spots. The US government is looking to open source its code base as much as it reasonably can. Maybe they’ll step in and decide obtrusive DRM and its protective DMCA rules are too powerful. If interested in some of their projects, check out my article covering some of the best packages released to date.

Top Resources For Distro Maintainers

Top Resources For Distro Maintainers

Distro Maintainer
Distro Maintainers looking serious….

There are great resources for a Linux distribution maintainer and here are a few of my favorite. Most sources are geared towards Ubuntu based systems but a few like the Themes and Window Managers links are more or less universal.

Window Managers

The first site deals with the plethora of window managers that are out there. XWinMan lists many managers ranging from session and full desktop managers to just the bare windows themselves. There are some that are deprecated so be weary; but, it still has many that are not!
              Link:  http://www.xwinman.org/

Source List Generator

The next is a site that generates source list files for Ubuntu. This is really awesome for a number of reasons but the biggest for me is recovering from a bad dependency hell scenario. While it is rare, it is something that a maintainer and even a user needs to be aware of. Adding too many PPAs (which generally isn’t recommended) can cause loops and other strange and unexpected behavior from a package manager. In addition, the generator gives PPA info on a number of popular software this is not necessarily shipped with the system. It is well worth keeping in ones developer/user arsenal.
              Link:  https://repogen.simplylinux.ch/index.php

Themes

This third link deals with themes, icons, backgrounds, etc. Who doesn’t like themes? Anyway, it has many of these to spruce up the system and make it less boring. I started using Gnome-Look early on in my Linux experience and it has yet to fail to find me something cool or aesthetically pleasing.
              Link:  http://www.gnome-look.org/

Debootstrap Versions

This fourth link is geared towards building a Debian based distribution. Debootstrap is a great peace of software but needs the PPAs of the system it will setup in a subdirectory of ones system. This links provides the needed information.
              Link:  http://packages.ubuntu.com/search?keywords=debootstrap&searchon=names&suite=all§ion=all

Ubuntu-Mini-Remix

This fifth link goes to a website that has minified Ubuntu ISOs. These are phenomenal for creating new distributions from pretty much scratch. It isn’t LFS kinda scratch but it’s as close as it’s likely to get.
              Link:  http://www.ubuntu-mini-remix.org/

Chrooting in and building up is the best way to do this. I have a video of the steps too:

Package List

This last link is great for doing source compiling. This can be used to find the install name of a package when an error output doesn’t give much of a hint. I must admit I only just recently heard of this page after attempting to compile a installer package. Going to the IRC of the developer was where I learned of this. It’s a bit embarrassing for not having known of this given how long I’ve been using various *nix systems. Still, I guess the old adage, “you can’t teach an old dog new tricks”, is proven wrong.
              Link:  http://packages.ubuntu.com/

Quick Test Server

Quick Test Server

Server

There are times when I need a server in order to test some feature or bit of code. I don’t like spooling up a Linux, Apache, MySQL, and PHP (LAMP) or Linux, NGINX, MySQL, and PHP (LEMP) stack because it’s tedious. Notice what I did there? I made the whole sentence tedious to get you to think it really is tedious. It really isn’t but frankly, I needed a reason to write this. Anyway, so, what is one to do? Well, there are two option that come to mind and those are Python, PHP, or Netcat. One might ask: “Whaaat? Rly?”. Yup. Really. All one needs to do is open up a terminal/cli and get ta hackin.

Python call up the Python module SimpleHTTPServer using the switch -m and then give it a port. Make the port greater than 1024 since those are reserved and require root to use. BAM! Open your browser of poison and go to localhost:portNumber or 127.0.0.1:portNumber.

Python Server

python -m SimpleHTTPServer 1337

I did not need to insert any index.html files to the directory. Python automatically gives a list of the directory contents when no index file is found. As a side note, Python doesn’t seem to read Php properly. I have yet to get it to work.

For PHP all one does is use the switch -S and then give it an address (127.0.0.1) and port. Again, make the port greater than 1024 since those are reserved and require root to use. BAM! Once more, open your browser of poison and go to localhost:portNumber or 127.0.0.1:portNumber.

PHP Server

php -S 127.0.0.1:1337

It is worth noting that with PHP I had to insert an index.php file into the directory I ran the command from. It doesn’t generate any list but does throw an error when no index is found. Additionally, this method seems to only work with PHP files. To test if the PHP server works, simply insert in the index.PHP :

<?php
    phpinfo();
?>

 

For the last one we will look at Netcat. Netcat is the swiss army knife of the networking tools and has an interesting way of creating a kind of server. To start off, simply create a file called serve.sh. The name is arbitrary but that’s what we will use for this example. Then, in the file add

Netcat Server

#!/bin/bash

    echo "`cat index.html`"

When this is done, simply create an index.html as you would any other. In my case, I did:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Google Link</title>
</head>
<body>
    <h1><a href="http://www.google.com">Google</a></h1>
</body>
</html>

After all this prep, which isn’t much we simply run in the terminal where serve.sh and index.html is:

while true; \
do { \
    echo -e 'HTTP/1.1 200 OK\r\n'; sh serve.sh; \
} | nc -l 1337; \
done

One might need to press enter again to actually run it because of the \’s stating “look to next line for rest of command”. One can also just remove the \’s and put the whole command like so:

while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; sh serve.sh; } | nc -l 1337; done

One can use PHP with this by the way. All one does is rename index.html to index.php. Then one adds some code like in the PHP example above. After that, in the serve.sh, edit the cat index.php to be PHP index.php. This has PHP interpret the file which then has its output gets echoed back to the requester.
All of this needs some explaining. So what is happening is that the while loop is checking to see if there is anything left to run. Note that the first part before the semicolon tells the browser that there is a server where one requested one. IE, it confirms the request. Then, the serve.sh is ran. In serve.sh it echos out what cat prints from index.html or what PHP prints from index.php. This is essentially sent as the file back to the requester. Thus, we can see the h1 sized Google anchor link in this example.

Voila! A nice juicy server is ready for use in any project that needs one. If one is adventurous, one can use these simple servers to serve files on the local network. To do this, all you have to do is allow the port to accept connections using UFW and then change the address “127.0.0.1” to “0.0.0.0”. This isn’t recommended for long term use but can be useful when needing to transfer something or using an app that’s for the local network. Even then, one might be better off just using ssh or email! Still, in those rare times, all one does is allow the port to be open by using ufw.

ufw allow portNumber/tcp

To remove the rule:

ufw status numbered
ufw delete "the number associated with ones portNumber"
ITDominator’s Github Projects

ITDominator’s Github Projects

Github:
Github Cat Image
    This is my Github account. I have accumulated a good number of programs and repositories over the years. Though, much of it has now been setup in an archive repository since I no longer support the code. The ones not in the archive are my active projects and represent my current skill level barring proper try/catch handling which I am too lazy to implement at this time. Otherwise, they are my projects to improve my coding skills.

    PS – Yes, not all (probably most) properly meet OOP standards. This is a personal choice since I don’t want to create a number of files just to have code split up properly. One controller file suits my needs just fine at this time. Though, one or two will eventually get refactored and setup to meet OOP standards.

Redirect

ITDominator’s Youtube Channel

ITDominator’s Youtube Channel

Youtube Channel:

    Linked is my Youtube Channel. At the inception of this post and following my need to switch accounts in order to unify my brand, I am pretty much back to zero subscribers. Starting new yet with more knowledge is invigorating and terrifying all at the same time. I hope you dear follower will find something useful or amusing from my humble collection of videos. I cover a lot but like to focus on C, C++, Java, JavaFX, Bash, Python, Blender, Gaming, and a whole lot of other topics.

Redirect