Use SQL Parameters for Protection

To protect a web site from SQL injection, you can use SQL parameters.

SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);

Note that parameters are represented in the SQL statement by a @ marker.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

Another Example

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);

---

Examples

The following examples shows how to build parameterized queries in some common web languages.

SELECT STATEMENT IN ASP.NET:

txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();

INSERT INTO STATEMENT IN ASP.NET:

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();

INSERT INTO STATEMENT IN PHP:

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) 
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

COLOR PICKER

HOW TO

Tabs
Dropdowns
Accordions
Convert Weights
Animated Buttons
Side Navigation
Top Navigation
Modal Boxes
Progress Bars
Parallax
Login Form
HTML Includes
Google Maps
Range Sliders
Tooltips
Slideshow
Filter List
Sort List

SHARE

 

CERTIFICATES

HTML, CSS,JavaScript, PHP,jQuery, Bootstrap andXML.

Read More »

---

SQL Injection Based on Batched SQL Statements

Most databases support batched SQL statement.

A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

Example

SELECT * FROM Users; DROP TABLE Suppliers

Look at the following example:

Example

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

And the following input:

User id: 

The valid SQL statement would look like this:

Result

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

BOOTP Support

ISC DHCP server is backward compatible with BOOTP. The following is a BOOTP client declaration to be defined in DHCP's main configuration dhcpd.conf file:

host bootp {
              hardware ethernet 00:00:2e:55:12:09;
              fixed-address 123.123.1.3;
              filename "/path/to/tftpboot/bootp.boot";
            }

Host specific configuration

There maybe a need to set static IP address to a particular host on the network such as printer, web server and etc. In this case it is posible to amend DHCP server configuration to lease a choosen IP address to a specific host defined by its MAC address.

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
  option routers 10.1.1.1;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

host printer {
  hardware ethernet 00:16:d3:b7:8f:86;
  fixed-address 10.1.1.100;
}

host web-server {
  hardware ethernet 00:17:a4:c2:44:22;
  fixed-address 10.1.1.200;
}

The above DHCP configuration file will permanently assign the IP address 10.1.1.100 to a host "printer" with a MAC address 00:16:d3:b7:8f:86 and IP address 10.1.1.200 to host "web-server" with MAC address 00:17:a4:c2:44:22.

Set default gateway

DHCP also allows for client's gateway configuration.To set any client on the local network to use default gateway 10.1.1.1, add line "option routers 10.1.1.1" into dhcpd.conf file as demonstrated below:

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
  option routers 10.1.1.1;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option routers 10.1.1.1;
}

DHCP will now set DHCP client with gateway 10.1.1.1.

Define DNS server

Another configuration parameter possible to be set by DHCP server to its client is a definition of DNS server. If you want your clients to use DNS server with an IP address 8.8.8.8 and 10.1.1.1 you can do it by including an option "domain-name-servers" to DHCP's configuration file.

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option domain-name-servers 10.1.1.1, 8.8.8.8;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
  option routers 10.1.1.1;
}

DHCP default and max lease time

At this point we can add feww aditional settings to our DHCP configuration, namely the default and max lease time expiry.

• default-lease-time is a value in seconds in which a leased IP address expiry will be set to if DHCP client does not ask for any other specific expiry lease time
• max-lease-time is a value in seconds which defines a maximum expiry time for an IP address leased by DHCP server

default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

Basic DHCP Configuration

By default, DHCP server configuration does not include any subnets on which DHCP server should lease IP addresses. Therefore, depends on your Linux system you may get the following error message when you attempt to start DHCP with default dhcpd.conf configuration file.

Starting ISC DHCP server: dhcpdcheck syslog for diagnostics. ... failed!

Examining log files such as /var/log/syslog reveals more details:

No subnet declaration for eth0 (some IP address). 

Your server may be connected to multiple network subnets. To start DHCP server, at least one subnet must be defined within the DHCP configuration file /etc/dhcp/dhcpd.conf. 

NOTE: if your server has access to more than one subnet, DHCP requires all subnets to be defined even though there isn't immediate intention to enable DHCP service on that subnet. 

Below is the simplest example of DHCP configuration file:

subnet 10.1.1.0 netmask 255.255.255.0 {
  range 10.1.1.3 10.1.1.254;
}

subnet 192.168.0.0 netmask 255.255.0.0 {
}

This configuration file instructs DHCP server to listen for DHCP client requests on subnet 10.1.1.0 with netmask 255.255.255.0. Furthermore, it will assign IP addresses in range 10.1.1.3 - 10.1.1.254. It also defines an empty definition for subnet with network ID 192.168.0.0. 

Alter the above code with your subnet and insert it into /etc/dhcp/dhcpd.conf. When ready, restart your DHCP server with ( restart command may vary ) :

# service isc-dhcp-server restart

How to install DHCP server in linux

Standard DHCP server implementation available in various Linux distributions is an Open source version maintained by ISC ( Internet System Consortium ).

Use the following commands to install DHCP on your Linux server:

Debian and Ubuntu:

# apt-get install isc-dhcp-server

Redhat & Fedora:

# yum install dhcp