SQL Injection
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.
Detailed description
Databases are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL, Web applications interact with databases to dynamically build customized data views for each user. A common example is a Web application that manages products. In one of the Web application's dynamic pages (such as ASP), users are able to enter a product identifier and view the product name and description. The request sent to the database to retrieve the product's name and description is implemented by the following SQL statement.
SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = ProductNumber
Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The string is built using server-side script languages such as ASP, JSP and CGI, and is then sent to the database server as a single SQL statement. The following example demonstrates an ASP code that generates a SQL query.
sql_query= "SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = " & Request.QueryString("ProductID")
The call Request.QueryString("ProductID") extracts the value of the Web form variable ProductID so that it can be appended as the SELECT condition.
When a user enters the following URL:
http://www.mydomain.com/products/products.asp?productid=123
The corresponding SQL query is executed:
SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = 123
An attacker may abuse the fact that the ProductID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:
http://www.mydomain.com/products/products.asp?productid=123 or 1=1
The corresponding SQL Statement is:
SELECT ProductName, Product Description From Products WHERE ProductNumber = 123 OR 1=1
This condition would always be true and all ProductName and ProductDescription pairs are returned.
Friday, November 16, 2007
Smarty new technique in php
Smarty is a template engine for PHP. More specifically, it facilitates a manageable way to separate application logic and content from its presentation. This is best described in a situation where the application programmer and the template designer play different roles, or in most cases are not the same person.
For example, let's say you are creating a web page that is displaying a newspaper article.
*
The article $headline, $tagline, $author and $body are content elements, they contain no information about how they will be presented. They are passed into Smarty by the application.
*
Then the template designer edits the templates and uses a combination of HTML tags and template tags to format the presentation of these variables with elements such as tables, div's, background colors, font sizes, style sheets, svg etc.
*
One day the programmer needs to change the way the article content is retrieved, ie a change in application logic. This change does not affect the template designer, the content will still arrive in the template exactly the same.
*
Likewise, if the template designer wants to completely redesign the templates, this would require no change to the application logic.
*
Therefore, the programmer can make changes to the application logic without the need to restructure templates, and the template designer can make changes to templates without breaking application logic.
One design goal of Smarty is the separation of business logic and presentation logic.
*
This means templates can certainly contain logic under the condition that it is for presentation only. Things such as including other templates, alternating table row colors, upper-casing a variable, looping over an array of data and displaying it are examples of presentation logic.
*
This does not mean however that Smarty forces a separation of business and presentation logic. Smarty has no knowledge of which is which, so placing business logic in the template is your own doing.
*
Also, if you desire no logic in your templates you certainly can do so by boiling the content down to text and variables only.
One of the unique aspects about Smarty is the template compiling. This means Smarty reads the template files and creates PHP scripts from them. Once they are created, they are executed from then on. Therefore there is no costly template file parsing for each request. Each template can take full advantage of PHP compiler and cache solutions such as eAccelerator, ionCube mmCache or Zend Accelerator to name a few.
For example, let's say you are creating a web page that is displaying a newspaper article.
*
The article $headline, $tagline, $author and $body are content elements, they contain no information about how they will be presented. They are passed into Smarty by the application.
*
Then the template designer edits the templates and uses a combination of HTML tags and template tags to format the presentation of these variables with elements such as tables, div's, background colors, font sizes, style sheets, svg etc.
*
One day the programmer needs to change the way the article content is retrieved, ie a change in application logic. This change does not affect the template designer, the content will still arrive in the template exactly the same.
*
Likewise, if the template designer wants to completely redesign the templates, this would require no change to the application logic.
*
Therefore, the programmer can make changes to the application logic without the need to restructure templates, and the template designer can make changes to templates without breaking application logic.
One design goal of Smarty is the separation of business logic and presentation logic.
*
This means templates can certainly contain logic under the condition that it is for presentation only. Things such as including other templates, alternating table row colors, upper-casing a variable, looping over an array of data and displaying it are examples of presentation logic.
*
This does not mean however that Smarty forces a separation of business and presentation logic. Smarty has no knowledge of which is which, so placing business logic in the template is your own doing.
*
Also, if you desire no logic in your templates you certainly can do so by boiling the content down to text and variables only.
One of the unique aspects about Smarty is the template compiling. This means Smarty reads the template files and creates PHP scripts from them. Once they are created, they are executed from then on. Therefore there is no costly template file parsing for each request. Each template can take full advantage of PHP compiler and cache solutions such as eAccelerator, ionCube mmCache or Zend Accelerator to name a few.
Subscribe to:
Posts (Atom)