Disturbingly Common

So you’ve got a web site

Let’s say it’s a blog.  Not one like this site, that is a free wordpress.com account, but a real blog, one you’re paying for each month, hosted somewhere like Bluehost.

And your blog is using a database that you’ve created to do something, maybe say a guestbook or something.  Doing posts are easy.  You wanted to take it to another level.  You’re made to believe that programming simple web pages with databases on the back-end is “that easy.”  Well, it is that easy.  Heck, most come with a Panel or Dashboard where you can set it all up with a few clicks.  It’s also “that easy” to hack if you don’t take some simple precautions.

Your site evolves into something with a database

The reason I chose a blog is because that’s how a lot of people start.  They evolve into “using email” or “adding a database” or something of that nature.  But this applies to any ol’ web site that uses a database, it doesn’t have to be a blog.

After reading this, don’t feel bad, just tell your programmers to fix it.  Of course, if that is you, well, you need to fix it.

I’ve tried to keep this usable to someone non-technical that is trying to run their own blog/site.  Technical people already know about all this, but non-technical people are creating sites left and right these days.  And malicious people are using wonderfully scary tools like Backtrack to exploit them.

A couple of things you need to do

1. Create a very complex password when connecting to your database – I usually recommend something in the order of 16 or more characters with upper and lower case letters, numbers and funny symbols.  Inconvenient?  Sure.  Safer?  Sure.  You wouldn’t believe how common it is to find passwords with just 6 or 8 characters and all letters, maybe one number.  Give John a little while and as one of my security friends says “it’s all over but the cryin’.”

2. Scrub your user’s input and use safe queries.  Here’s what I mean using a pretty lousy guest book example.  This guest book only asks you for your first name, nothing else!  Nice.  Anyhow…

Let’s say you ask someone on an online form for their first name.  And let’s say you insert that into a database.  Here’s what you might initially do.

$firstName = $_POST['user_input_first_name'];
mysql_query("INSERT INTO MyGuestBook (firstName) VALUES ('" . $firstName . "')");

What’s wrong with this?  Since you’re not scrubbing the user’s input to make sure $firstName contains something legitimate, that’s one problem.  But another one is inserting that into the database as-is is very problematic and dangerous. Let’s just say a malicious person could get all the information out of your guestbook without your permission, for instance.

Here’s what you can do instead.  I’m no PHP/MySQL expert, but since that’s pretty common in the blogosphere, I’ve given it a try.

try {
   $pdo = new PDO('mysql:dbname=your_database;host=localhost', $username, $password);
   $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
   $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
   echo "Connection failed " . $e->getMessage();
}
//Let's assume you didn't have an error, move on
$stmt = $pdo->prepare('INSERT INTO MyGuestBook (firstName) VALUES (:firstName)');
$stmt->execute(array(':firstName' => $firstName));

And let’s say it’s a web site, maybe something with ASP.Net/SqlServer. Another pretty common one.

 Dim connString As String = ConfigurationManager.ConnectionStrings("your_database").ConnectionString
 Dim sqlString As String = ""
 Dim sqlConnection As New SqlConnection(connString)

 sqlString = "insert into [ss].[dbo].[MyGuestBook] (firstName) values (@firstName);"
 Dim sqlCommand As New SqlCommand(sqlString, sqlConnection)

 Dim paramFirstName = New SqlParameter("firstName", SqlDbType.VarChar)
 paramFirstName.Value = inputFromUserCleanedFirstName
 sqlCommand.Parameters.Add(paramFirstName)

 sqlConnection.Open()
 sqlCommand.ExecuteScalar()

Of course, the attackers aren’t just going to stop here with what’s called SqlInjection.  Nah, they’ll be onto other things as soon as you’re an interesting target.  However, the idea here is you are using the power of the database technologies to help protect you from malicious user input.  And more importantly, you’re thinking like a malicious person, one of the best things you can do for yourself.

I genuinely hope this make sense, but let me know if it doesn’t and enjoy the net, safely!

Advertisements
Leave a comment

1 Comment

  1. Reblogged this on itechonology.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: