Ways to counter SQL Injection

Database Permissions

Set the permissions on the database username / password as tightly as possible.  If you are displaying data, there is no need for the user to have insert or update permissions into the database.  One solution is to have two usernames / passwords.  One would have select permissions, and would be used only for display.  The other would have select, insert and update permissions used only for forms that require data to be stored in the database.

Test all data input

All form data and all url query strings should be tested.

For example, if you are passing data using a query string any record id’s are usually integer, so test that they are actually integer values with a function such as is_numeric in PHP.

Use correct data types and data sizes in the database

This means that if you have a colunn which is a persons name, the data type size for that column only needs to be 40 characters. There is no need to have a data size any larger than required.
Convert text to html

Before storing text in a database, convert it into html.  This will change inputs such as the Javascript <script> to its html equilivant which cannot be executed on a web page.

Filter out any characters that may cause issues. and are not required.

Use parameterized queries

If you use parametized queries for connection to the database you eliminate string concatenation.  You should always use parametized queries rather than constucting the sql.

Check characters particlarly with username / password

If an entry is a username, it normally does not require any other characters other than a to z and 0 to 9 and it only needs to be say, 8 characters long.

In php, always use the mysql_real_escape_string

http://uk3.php.net/mysql_real_escape_string

SQL Injection pdf

http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

Description of paramised queries and slq injection in dot.net

http://msdn.microsoft.com/en-us/library/ms998271.aspx

Description of paramised queries and slq injection for php

http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php

How to create htaccess / htpasswd

Here is a simplified description on how to create an htaccess / htpasswd file :

To protect your admin area you can create an htaccess / htpasswd file.

(1) Create an .htaccess file

Go to http://www.htaccesstools.com/htaccess-authentication/

In the first box enter some optional text which gets displayed in the login box

In the second box you need to enter the file path name to a second file htpasswd file.  The htpasswd file is where the list of users / passwords are to be located.

Click on the button, copy the text and place it into a text file.  Name this file .htaccess and upload it to the folder that you want to protect.  In this case this would be the /admin/ folder.

(2) Create the .htpasswd username / password file

Go to http://www.htaccesstools.com/htpasswd-generator/

In the first box enter the username.

In the second box enter the password.

Click the button, copy the text and place it into a text file.  Name this file .htpasswd and upload it to a suitable location on your server.  This can be anywhere on your server, but usually in a defined folder.  The location is the same location as was entered in (1) above.

The folder as defined in (1) should now be protected by the username / password as defined in (2)

Resetting admin password in PHP-eSeller

The only way to reset the admin password is to do a SQL update statement on the database.

You will need to go into phpmyadmin or a similar program which can be user to administer the database tables.

The update statement that you can use is :

UPDATE ipn_tblpasswords SET userpassword = md5(‘admin’) WHERE username = ‘admin’

In this case it is assumed that the username is ‘admin’

How to deal with duplicate content on your web site

Duplicate content within one website

This is often unintentional and can be the result of sites having pages for similar products where the content has been only slightly changed, or because landing pages have been created for PPC campaigns.

In this case, Google recommends that webmasters include the preferred version of the URL on their sitemap file, which will help the search engine’s crawlers find the best version.

Duplicate content across domains

This refers to content identical to that on your website appearing on third party domains, often when sites use scrapers to copy your text and use it to push themselves up the rankings.

Google claims that it manages to determine the original source of the content “in most cases”, and that having your content copied shouldn’t impact on your search rankings.

Google offers the following tips if sites with scraped content are ranking higher than the original website:

•Make sure your site’s content is being crawled by Google.

•Check the Sitemap file to see if you made changes for the particular content which has been scraped.

•Make sure your site is in line with Google’s webmaster guidelines.

Posted in SOE

SQL Server connection strings

SQL ODBC connection strings

Standard Security:

Driver={SQLServer};Server=yourServerName;Database=yourDatabaseName;Uid=yourUsername;Pwd=yourPassword;

Trusted connection:

Driver={SQLServer};Server=yourServerName;Database=yourDatabaseName;Trusted_Connection=yes;

SQL OLE DB connection strings

SQL Server 2005, 2008

System.Data.OleDb.OleDbConnection

Standard Security:

Provider=SQLOLEDB;Data Source=yourServerName;Initial Catalog=yourDatabaseName;UserId=yourUsername;Password=yourPassword;

Trusted connection:

Provider=SQLOLEDB;Data Source=yourServerName;Initial Catalog=yourDatabaseName;Integrated Security=SSPI;

SQL OleDbConnection .NET strings

Standard Security:

Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog= Your_Database_Name;UserId=Your_Username;Password=Your_Password;

Trusted connection:

Provider=SQLOLEDB;Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;Integrated Security=SSPI;

SQL SqlConnection .NET strings

Standard Security:

1. Data Source=Your_Server_Name;Initial Catalog= Your_Database_Name;UserId=Your_Username;Password=Your_Password;
2. Server=Your_Server_Name;Database=Your_Database_Name;UserID=Your_Username;Password=Your_Password;Trusted_Connection=False

Trusted connection:
1. Data Source=Your_Server_Name;Initial Catalog=Your_Database_Name;Integrated Security=SSPI;
2. Server=Your_Server_Name;Database=Your_Database_Name;Trusted_Connection=True;

Getting more site hits

Here are a few basic points on getting more hits for your site.

* Make sure body text is optimised for keywords.

* Make sure title tags are well written and different for each page and reflect the page content.

* Submit to search engines, although once they have been submitted, the search engines are very good at re-crawling at regular intervals.  A way of submitting to search engines to to create an xml file of you site and submit that to the search engines.

* Look for other sites where you can advertise your products which may mean paying.

* Look at google adwords or other similar forms of advertising.

* Create a Google Analytic account to monitor traffic and keyword success.

* Provide content that will encorage people to return to your site e.g. free stuff, regular updates of information.

* Provide a newsletter or other means of keeping in contacts with people.

* Provide some kind of two way interaction, e.g. a forum discussion system

Posted in SOE

EasyPHP on Windows 7

EasyPHP is an application that you install on your Windows computer which you can use as a development system for PHP / Apache and mySQL databases.

It can be downloaded form http://www.easyphp.org/ and I find it a very good way to develop applications using PHP on my Windows computer.

EasyPHP contains a single exectuable which when run, installs PHP, Apache web server and a mySQL database onto your Windows computer.  All very neat and convenient to use.

However, when I tried to install on Windows 7 I came across a number of issues with Apache and with mySQL.

When I launched the software, Apache wouldn’t start.  Here is the error :

Apache cannot run: another Web server is using the Web port or port is blocked by firewall.

To overcome this issue :

1. Click the EasyPHP icon beside the “Apache” button.
2. Click “Configure” then click “EasyPHP“.
3. Uncheck “Check server’s TCP port before starting” then click “Apply” button and then “Close” button.
4. Click “Apache” button and then click “Start“.

That fixes the “Apache cannot run…” problem.

The above gets the Apache server to work but after I closed EasyPHP and ran it again, I got this second error message :

Unexpected end of MySql… See log file?

This is a mySQL error message and is actually a file permission problem.

So I changed the user permission for the EasyPHP directory and mySQL correctly started.

To set your permissions this is what you do :

1. Open and view Drive C using the windows explorer, then double click “Program Files” assuming that you installed EasyPHP in that folder.
2. Right click on the folder where you installed EasyPHP then click “Properties“.
3. On “Security” tab click “Edit…” button.
4. Select the user that you are currently using.  This will probably be something like “Users (computer name)”
5. Under “Permissions for Users” box, tick “Full control” on “Allow” column.
6. And then click “OK” button to apply the changes.

Now you should be able to start mySQL server by clicking “mySQL” button on EasyPHP dialog and then click “Start“.  Or shut down EasyPHP and restart it again.

Hopefully that will solve issues when working with Windows 7 and EasyPHP.