Tag Archives: elegance

Apologies: A Server Crash Has Eaten My Media

I’d like to apologize to readers of this blog for a server crash that ate the contents of my wp-content directory recently.

Unfortunately, a lack of vigilance means I didn’t have a local backup of that directory, and my host doesn’t have a backup, either. So most of the images and code downloads are missing.

I plan to fix that as time allows, but time is at a premium. So please bear with me as I do my best to recover. Thanks.

Microsoft’s Advice On Avoiding SQL Injection Attacks

Not to kiss my own ass, but Microsoft’s official advice on avoiding SQL injection attacks sounds awfully familiar to readers of this blog:

Sanitize (validate) all inputs: “This helps to ensure that the input is free from characters that cause SQL injection attacks.” It also allows you to fix the form and data type of the user input, which pretty much renders basic script kiddie attacks useless.

Parameters, not strings, as query variables: “Creating dynamic queries using string concatenation potentially allows an attacker to execute an arbitrary query through the application.”

In other words, it’s harder to break this:

@person VARCHAR(20); SELECT * FROM table WHERE person = @person;

than it is to break this:

SELECT * FROM table WHERE person = 'some user string';

Stored procedures, not free-form queries:Stored procedures by themselves do not remove SQL injection vulnerabilities. They only raise the bar on the attacker by hiding much of the underlying database schema.” That is, the attacker can’t easily find out what columns are in a table, or what type of data is in those columns, if you use a stored procedure.

Minimal permissions: “In general, database applications should be using a low-privileged account that has the minimum permissions required to execute the statements submitted to SQL Server.” As in, create a user in your SQL database whose only permission set is to execute your Web-based stored procedures, and connect to the database server as that user.

Those are the basics. And if you don’t understand how to do them, I’ll be putting together a blog series on how to convert your old string-queried Web applications into one secured with stored procedures and proper permissions.

Continue reading

The Basics Of Avoiding MySQL Injection Attacks In ASP.NET Web Forms

Received in my email today:

Hi

say your blog and thought you might help.

strsql = “SELECT StaffID, DesignationID, StaffName, Password, ShopID from staffT where StaffName =” & UserName.Text & ” AND Password =” & Password.Text & “”

from the string, the username.text and password.text are form controls. what is happening is there are passing null values regardless of what you input in the text boxes resulting in a system error.

“System Error Object reference not set to an instance of an object”

Am using Mysql as the database.

I’m always glad to answer such questions, especially when the questioner is flirting with disaster, as much as this questioner is.

A trained eye can immediately spot the problem with the SQL statement above, aside from the problem of NULL values tossing errors. Namely, it’s wide-open to SQL injection. (And an even keener eye will note that the values for user name and password aren’t delimited with single-quotes.)

So here’s my reply email to the questioner:
Continue reading

Preloading Images With JavaScript

Anne Hathaway

Anne Hathaway photo by Brian Smith

In my recent travels through old blog posts, I’ve noticed a number of occasions where I’ve discussed how to preload images.

Almost all those examples are stupid or just plain wrong. For that, you have my apologies, and I aim to rectify those mistakes with this post.

First, why would we want to preload an image? Simply put, we intend to show it later on our Web page — either as a result of a mouseover, or a click, or some other sort of Document Object Model (DOM) event.

For example, maybe we want to mouseover a series of thumbnails, and show a larger version of that image in the same place.

Rather than making the end user wait for a new image to load as a result of doing something on a Web page, it makes sense to load the image we intend to show in advance, so it will display almost instantaneously as a result of an event.

I’ll first show why two of my previous methods for preloading images are wrong or dumb, then describe two correct ways to preload images: via basic JavaScript and via jQuery.

The lovely Anne Hathaway will be our model.
Continue reading

Working With The authorize.net Server Integration Method (SIM) Payment Gateway, Part 1: Don’t Use JavaScript

I got an email a few days ago from a reader seeking help with the authorize.net Server Integration Method (SIM) credit card payment gateway.

Specifically, he was asking how he could use JavaScript to pass a calculated total to a PHP page that contains the SIM code.

  • A customer chooses a series of options from some select lists, radio buttons and the like;
  • the page calculates an order total;
  • the end user hits a submit button;
  • the results are posted to the SIM processing page, which acts as a “confirmation page”; and
  • The customer presses another button, which takes him to authorize.net to provide payment info and actually charge the card.

You can see an approximation of what I’m talking about here: http://www.dougv.com/demo/js_form_values. The questioner’s form is similar to this approximation in function.

I will show how to properly customize a SIM form, and submit payment requests to authorize.net via SIM, in an upcoming post. This post explores why it’s a terrible idea to process order forms with JavaScript. That is, it’s about the wrong way to use SIM. Stay tuned for the right way.

Continue reading