Bits and Pieces (Week 10)

1. SQL Injection Attacks (Some Prevention tips)

A. Definition

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive inforamtion or otherwise compromise the server.
There are two main types of attacks: First-order attacks, and Second-order attacks....
First-order attacks are when the attacker receives the desired result immediately, either by direct response from the application they are interacting with or some other response mechanism, such as email.
Second-order attacks are when the attacker injects some data that will reside in the databaase, but the payload will not be immediately activated....

B. Prevention tips

* Locking down
If a web application were to request that the user choose a data, it would be normal that the values for the data checked in some JavaScript function on the web page before any data was posted back to the server. This improves the user experience by reducing the wait between lots of server requests. However, the value needs to be validated again on the server as its is possible to spoof the request with a deliberately crafted invalid data.
* Encrypting data
* Least Privilege - Database account
* Least Privilege - Process account
* Cleaning and Validating input
* Parameterised Queries
( Example ) SQL Server
string commandText = "SELECT * FROM Customers "+
"WHERE Country=@CountryName";
SqlCommand cmd = new SqlCommand(commandText, conn);
cmd.Parameters.Add("@CountryName", countryName);
*Stored Procedures
Stored procedures can be written to validate any input that is sent to them to ensure the integrity of the data beyond the simple constraints otherwise available on the tables. Parameters can be checked for valid ranges. Information can be cross checked with data in other tables.
If we consider a database that has the user details for a website, this includes the user name and password. It is important that an attacker is unable to get a list of passwrods or even one password. The stored procedures are designed so that a password can be passed in, but it will never put a password in any result set.
* Re-validation of data in Stored Procedures
* Ensure that error messages give nothing away about the internal architecture of the application or the database


2. PHP Error Logging

By default, PHP sends an error log to the servers logging system or a file, depending on how the error_log configuration is set in the php.ini file. By using the error_log() function you can send error logs to a specified file or a remote destination.
Sending errors messgeas to ourself by e-mail can be a good way of getting notified of specific errors.
[Example Code]

function customError($errno, $errstr)
{
echo "Error: [$errno] $errstr
";
echo "Webmaster has been notified";
error_log("Error: [$errno] $errstr", 1,
someone@example.com, "From: webmaster@example.com");
}

set_error_handler( "customerError", E_USER_WARNING);

$test=2;
if ($test>1)
{
trigger_error("Value must be 1 or below", E_USER_WARNING);
}
?>


}