Lifecode

Few days from now, I will be starting my professional career. To be honest, I’m pretty much excited. I will be working for a big telecommunications company in my country, and I’ll probably do some web development related work during my stay. This is very new to me, and the work would probably require team-oriented skills, which I currently lack.

Expectations

There will be some training involved, so apparently, a bond of one or two years will be included in the contract which I will be signing soon. It’s pretty rough, but will surely be worth the experience I will be receiving.

About the salary, I’m really happy about it. It’s not far from my dream salary, but who cares, I’m still a fresh graduate. I ended up offered 200% more of what I expected. It’s pretty satisfying considering the amount of work I can offer back to the company. The taxes hurt though.

Professionalism

Being a freelancer since 2007, I’ve learned to interact with different kind of people. I can speak publicly well too, and I consider myself a capable leader. Interacting with my colleagues will surely be the hardest part. I’ve been on the solo-fly all my coding life, and I barely worked with people in the same level. To be honest, I’d rather write the codes myself. I know this is bad, so I gotta patch up somehow. Careers are meant to progress, it doesn’t stay at one point for a very long period of time.

Challenges

Attendance, is probably my greatest challenge. I’m known for my laziness, and tardiness. I set times and dates on my appointments and I still find my self late for at least an hour. Now, I think I need to wake up early enough that I will have extra time for coffee in the office. That’s pretty ideal, and I hope to execute it well.

Thinking outside the box will surely be a drag. Though I am capable of doing (well some may say ‘amazing’) things that will qualify, but I need to surpass the my limits everyday.

Next

It’s almost near. I’m expected to start on the first business day of May. As I’ve said, it’s pretty exciting. Cheers!

Back in my exploiting days, SQL injection was pretty much popular. I guess it still is at the moment, but because I’m out of the scene, I guess I can’t assure it. Well anyway, I’m gonna show how SQL injection is done, with a sample script and database table. I won’t go into detailed information about SQL injection, this is the actual execution.

First create a test database, and a test table with basic user details.

CREATE DATABASE `sqltest`;

CREATE TABLE  `sqltest`.`users` (
	`id` INT NOT NULL ,
	`username` VARCHAR( 20 ) NOT NULL ,
	`password` VARCHAR( 32 ) NOT NULL ,
	`address` VARCHAR( 50 ) NOT NULL ,
	`email` VARCHAR( 30 ) NOT NULL ,
	PRIMARY KEY (  `id` )
)

Then we fill it with random information. As for the password, lets be advanced and put a md5 hash for it.

INSERT INTO `sqltest`.`users` VALUES ('', 'ruel', '34819d7beeabb9260a5c854bc85b3e44', '9B Kingston Street, Westchester, CA 90045', 'myrandomemail@domain.com');

Now, we create a simple PHP script called viewuser to output the data we stored to the database.

<?php
	// Make sure there's a GET request first
	if (!isset($_GET['id'])) {
		die;
	}
	
	$id = $_GET['id'];

	// Your server details goes here.
	$conn = mysql_connect('localhost', 'username', 'password') or die(mysql_error());
	mysql_select_db('sqltest', $conn) or die(mysql_error());
	
	// This is our query
	$sql = "SELECT username
			FROM users 
			WHERE id = " . $id;
	
	// Execute our query
	$result = mysql_query($sql) or die(mysql_error());
	
	// Check if there are results
	if (mysql_num_rows($result) == 0) {
		die;
	}
	
	// Get the username
	while($row = mysql_fetch_assoc($result)) {
		$username = $row['username'];
	}
?>
<!doctype html>
<html>
<head>
	<title>View User</title>
	<style>
		body {
			font-family: Arial;
			font-size: 1.5em;
			color: #555;
		}
		
		#userblock {
			margin-top: 200px;
			text-align: center;
		}
	</style>
</head>
<body>
	<div id="userblock">
		Hello! I'm <strong><?php echo $username; ?></strong>
	</div>
</body>
</html>
<?php
	mysql_close($conn);
?>

Next step is to try it: viewuser.php?id=0. And it works!

It works!

Then lets start injecting SQL codes. First of all, since we already know the table structure, we can easily extract information from the database using SQL injection. Now, we will pretend that we do not know such information, and lets start by finding out how many columns shall we pass to UNION ALL SELECT. This is done by injecting the ORDER BY statement in the url, plus an integer. If the page returned an error, then we get our number of selected columns.

Let’s start by 1 : viewuser.php?id=0 ORDER BY 1 – No error. Then we try 2 : viewuser.php?id=0 ORDER BY 2 – Error: Unknown column '2' in 'order clause'.

What does that mean? Column number two doesn’t exist. That means, there’s only one selected column. And yes, if you would look at our code, only the column username is selected.

Now we inject UNION ALL SELECT. But first, we do not know what fields are present in the database. As far as I know, in blind SQL injection, there’s no way of retrieving column names with a query. The only way would be bruteforcing. If the page showed the data you were referring to, then the column name is correct, otherwise, it will return an error.

The same goes for the table name, it needs bruteforce. You have to try and try until you get the right table name and column name.

Since we only have one selected column, we can only pass one argument to UNION ALL SELECT. The query will be injected as: viewuser.php?id=0 UNION ALL SELECT (column) FROM table

Now, its your turn, try the fields in our structure and examine the output. Here’s what it looks like when passing the password field as an argument: viewuser.php?id=0 UNION ALL SELECT (username) FROM users

Hashed password

Yes, that’s the password we inserted in the database earlier. And please take not that in the actual script, we didn’t mean to show any other fields except username.

Some of the password fields in poorly coded websites are in plain text, so this is fairly easy for attackers to get in the system.

How do we secure the script? Well its pretty easy. We’ll make use of mysql_real_escape_string() function in PHP. And this is how it’s done:

$sql = "SELECT username
	FROM users 
	WHERE id = '" . mysql_real_escape_string($id) . "'";

And if we will inject our last query: viewuser.php?id=0 UNION ALL SELECT (username) FROM users, it won’t work anymore.

SQL injection is pretty powerful. Actually you can DROP the whole table if you want to. The possibilities are quite, endless. And poor coding causes this. There are also more ways to resolve this issue: input validation, mysqli, etc. Practice secure coding, especially on public scripts.

This is a pretty basic document I coded yesterday night. Basically this is a Web Design homework and the deadline is tomorrow morning. Yes I know it’s easy, but for the sake of the people curious about it, or those who are still starting with web design, I posted this.

HTML Version

In the past few days, while thinking about this, I decided to code this in HTML5 + CSS + JS. But then, because this is just a homework, and to be passed via e-mail, JS + HTML5 won’t be good.

First, because JS won’t automatically be executed locally, which destroys the first impression. I really wanted to do this in JS to add interactivity. Like, answering the crossword puzzle before revealing the answers, or have a button that will reveal the answers right away.

Second, some HTML5 tags will not work on older browsers, and only up-to-date and modern browsers can interpret its new tags. But if you would think, I only have one audience, my instructor. Well the problem is, if the code fails, my grade will fail too. I do not want to risk that, but anyway, XHTML 1.0 works just fine.

Style

I’m a minimalist, I like things simple, and for this one I sticked to one sans font. White background color, and gray text. Here’s the body style:

body {
	font-family: Arial, Helvetica, Verdana, sans;
	font-size: 1em;
	color: #666;
	background-color: #fff;
}

And yeah, for the table and data, I used the same color scheme.

#crosstable {
	margin: 0 auto 0 auto;
	border: 3px solid #666;
}

#crosstable td {
	width: 30px;
	height: 30px;
	border: 1px solid #666;
	border-spacing: 0;
	padding: 5px 5px 5x 5px;
}

The tricky part is the superscript in the cells. It took me some time to remember all about negative margins. Well anyway, it went well.

#crosstable td sup {
	padding: -5px;
	vertical-align: super;
	font-size: 0.5em;
	position: relative;
	top: -6px;
	left: -7px;
	font-weight: normal;
	margin-right: -0.5em;
}

Output

Of course I’ll show it to you. Besides, I already e-mailed my instructor with a zip archive containing the HTML file and the CSS file. See it here.

Validation

The document is valid XHTML 1.0 Strict. You can see for yourself: Click Here.