Category Archives: Uncategorized

SQL Injection

What it is

SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build an SQL query.

SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks, and sometimes SQL queries even may allow access to host operating system level commands.

Avoidance Techniques

  • Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.
  • Use prepared statements with bound variables. They are provided by PDO, by MySQLi and by other libraries.
  • Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions (e.g. is_numeric(), ctype_digit() respectively) and onwards to the Perl compatible Regular Expressions support.
  • If the application waits for numerical input, consider verifying data with ctype_digit(), or silently change its type using settype(), or use its numeric representation by sprintf().
  • If the database layer doesn’t support binding variables then quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.). Generic functions like addslashes() are useful only in a very specific environment (e.g. MySQL in a single-byte character set with disabled NO_BACKSLASH_ESCAPES) so it is better to avoid them.
  • Do not print out any database specific information, especially about the schema, by fair means or foul. See also Error Reporting and Error Handling and Logging Functions.
  • You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.
  • You benefit from logging queries either within your script or by the database itself. Obviously, the logging is unable to prevent any harmful attempt, but it can be helpful to trace back which application has been circumvented.

Reff:
http://php.net/manual/en/security.database.sql-injection.php

Advertisements

Phonetic Alphabet

A phonetic alphabet is a list of words used to identify letters in a message transmitted by radio or telephone. Spoken words from an approved list are substituted for letters. For example, the word “Navy” would be “November Alfa Victor Yankee” when spelled in the phonetic alphabet. This practice helps to prevent confusion between similar sounding letters, such as “m” and “n”, and to clarify communications that may be garbled during transmission.

Letter NATO Phonetic Western Union Phonetic

A

Alpha Adams

B

Bravo Boston

C

Charlie Chicago

D

Delta Denver

E

Echo Easy

F

Foxtrot Frank

G

Golf George

H

Hotel Henry

I

India Ida

J

Juliet John

K

Kilo King

L

Lima Lincoln

M

Mike Mary

N

November New York

O

Oscar Ocean

P

Papa Peter

Q

Quebec Queen

R

Romeo Roger

S

Sierra Sugar

T

Tango Thomas

U

Uniform Union

V

Victor Victor

W

Whiskey William

X

X-ray X-ray

Y

Yankee Young

Z

Zulu Zero

Source:

  1. http://www.history.navy.mil/faqs/faq101-1.htm
  2. http://www.osric.com/chris/phonetic.html

YAML

YAML (rhymes with ‘camel’) is a human-friendly, cross language, Unicode based data serialization language designed around the common native data structures of agile programming languages.

YAML is not Markup Language. It is a human friendly data serialization standard for all programming languages.

It is an human friendly and versatile data serialization language which can be used for log files, config files, custom protocols, the works.

It is broadly useful for programming needs ranging from configuration files to Internet messaging to object persistence to data auditing. It is easy to use, easy to learn, and cool.

Example: click here

invoice: 34843
date   : 2001-01-23
bill-to: &id001
    given  : Chris
    family : Dumars
    address:
        lines: |
            458 Walkman Dr.
            Suite #292
        city    : Royal Oak
        state   : MI
        postal  : 48046
ship-to: *id001
product:
    - sku         : BL394D
      quantity    : 4
      description : Basketball
      price       : 450.00
    - sku         : BL4438H
      quantity    : 1
      description : Super Hoop
      price       : 2392.00
tax  : 251.42
total: 4443.52

YAML is a balance of the following design goals:
– YAML documents are very readable by humans.
– YAML interacts well with scripting languages.
– YAML uses host languages’ native data structures.
– YAML has a consistent information model.
– YAML enables stream-based processing.
– YAML is expressive and extensible.
– YAML is easy to implement.

Spyc is a Simple PHP YAML Class.

Useful links:
1.http://yaml.org
2. http://spyc.sourceforge.net