Translation


by Transposh

Posts Tagged ‘Technology/Internet’

« Older Entries

Understanding REST – For Beginners

Tuesday, September 20th, 2011

REST stands for Representational State Transfer. (It is sometimes spelled “ReST”.) It relies on a stateless, client-server, cacheable communications protocol — and in virtually all cases, the HTTP protocol is used.

REST is an architecture style for designing networked applications. The idea is that, rather than using complex mechanisms such as CORBA, RPC or SOAP to connect between machines, simple HTTP is used to make calls between machines.

  • In many ways, the World Wide Web itself, based on HTTP, can be viewed as a REST-based architecture.

RESTful applications use HTTP requests to post data (create and/or update), read data (e.g., make queries), and delete data. Thus, REST uses HTTP for all four CRUD (Create/Read/Update/Delete) operations.

REST is a lightweight alternative to mechanisms like RPC (Remote Procedure Calls) and Web Services (SOAP, WSDL, et al.). Later, we will see how much more simple REST is.

  • Despite being simple, REST is fully-featured; there’s basically nothing you can do in Web Services that can’t be done with a RESTful architecture.

REST is not a “standard”. There will never be a W3C recommendataion for REST, for example. And while there are REST programming frameworks, working with REST is so simple that you can often “roll your own” with standard library features in languages like Perl, Java, or C#.

Tags: , , , , , , , , , , , , , , , , , ,
Posted in Ajatus | 1 Comment »

Set Up Your Own Ubuntu Repository using apt-mirror

Sunday, February 6th, 2011

What is Ubuntu Repository?

It is the place where all software’s builds are stored for ubuntu. And when you make any install it downloads the package and install it.


Who should create a Repository?

If  you have a lots of ubuntu machines and you want to update and install a lot of packages in all the machines,else you have a slow internet connections then this is for you.


How can you create a Repository?

There are many ways how you can create a Repository.

  1. apt-proxy
  2. apt-cacher
  3. apt-mirror

Here I am going to show you how to create using apt-mirror. And if the machine is connected to internet,with web configuration it can also be used as a mirror in internet to download from.


Process of Creating The Repository

First of all you need a fast internet connection(this is required only once) with about 80 GB space to get all the downloaded packages.
I am setting up a repository for maverick-meerkat and have also included third party softwares.If you want you can add to the repositories with new source link and also remove some if you don’t want some.It almost is about 63.9 GB but i have added another 20 GB for fail safe options.

So here we go.

Step1: First install apt-mirror

?View Code BASH
1

sudo apt-get install apt-mirror

now you have the apt-mirror installed,Lets configure it

Step2:

?View Code BASH
1

 gksudo gedit /etc/apt/mirror.list

Here’s where you can enter the repositories that your local mirror will get all of it’s sources and debs from

Here’s what my mirror.list file looks like. Feel free to modify it to include or exclude what you will. Also, you may be able to find a closer and thus faster repository site i.e. in if you are in india you should look for an indian repository.



?View Code BASH
1

############# config ##################
#
# set base_path    /var/spool/apt-mirror
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
deb http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
clean http://archive.ubuntu.com/ubuntu


i have added all the repositories for maverick you can add according to your requirement.


step 3: Now we run it for the first time.Now its going to take a lot of time so you should devote a few hours for it.But in case you want to stop it and restart it from there the is no problem as it continues from there.so you can just run it when no one is using the connection.

?View Code BASH
1

sudo apt-mirror /etc/apt/mirror.list

step4: Phew once that’s done you’ll get some instructions on how to clean up unwanted files. Follow those.They’ll probably ask you to run below
command,but double check with your output.

?View Code BASH
1

sudo /var/spool/apt-mirror/var/clean.sh


step 5: Now once done with the download we can add it in the cron file so that it get updated  every day.Run the command to edit the file

?View Code BASH
1

gksudo gedit /etc/cron.d/apt-mirror

just uncomment the # from the last line and it will be updated every day at 4:00 AM you can edit and also change the timing and interval.


step 6: Now lets see how to use this repository.The easiest way would be using a web server like apache.so install apache

?View Code BASH
1

sudo apt-get install apache


step 7:point the mirror to apache web directory

?View Code BASH
1

ln -s /var/spool/apt-mirror/mirror/archive.ubuntu.com/ubuntu /var/www/ubuntu

step 8: then add this repository in the machines you want to update.
for ex: if the machine can be  accessed by ajatus.in then just add

?View Code BASH
1

deb http://ajatus.in/ubuntu maverick main restricted universe multiverse.


This is how you can set up your own repository for ubuntu.


Tags: , , , , , , , , , , , , ,
Posted in OpenSource Software, ubuntu | 11 Comments »

How to catch invisible friends on GTalk

Saturday, December 18th, 2010

I always wondered that there must be a way to catch friends off guard when they are invisible. Luckily I came across Python’s XMPP library which helped me. On ubuntu Linux you can install this module using apt.

?View Code BASH
1

$ sudo aptitude install python-xmpp python-dnspython

The complete script is as below . Open gedit or Vim and copy pate the below code. Save it as “track_invisible_users.py” Don’t forget to replace the username and password fields

?View Code PYTHON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

import xmpp
 
#constants
USER_ID = "youruserid@gmail.com"
PASSWORD = "yourpassowrd"
SERVER = "gmail.com"
 
jid=xmpp.protocol.JID(USER_ID)
C=xmpp.Client(jid.getDomain(),debug=[])
 
if not C.connect((SERVER,5222)):
    raise IOError('Can not connect to server.')
if not C.auth(jid.getNode(),PASSWORD):
    raise IOError('Can not auth with server.')
 
C.sendInitPresence(requestRoster=1)
 
def myPresenceHandler(con, event):
   if event.getType() == 'unavailable':
     print event.getFrom().getStripped()
 
C.RegisterHandler('presence', myPresenceHandler)
while C.Process(1):
  pass

After this run 

python track_invisible_users.py

Tags: , , , , , , , , , , , , , , ,
Posted in Python | 18 Comments »

Google music launches in India

Sunday, October 24th, 2010

Google has launched its online music service in India that enables users to search for legal music streams and downloads.

 

For its Indian music search service (http://www.google.co.in/music) Google has partnered with In.com, Saregama and Saavn. The three digital music providers, hold rights to hundreds of thousands of Indian tracks – ranging from old and new Bollywood hits to Indian classical music. The music search service currently indexes only Hindi songs.

 

Users can search for a particular song, an album or even for artists. On clicking the search results the songs play on a pop-up window.

Tags: , , , , , , , , , , , , , , , , , ,
Posted in Ajatus | 3 Comments »

Google’s priority mail service

Tuesday, August 31st, 2010


Don’t get surprised when you wake up tomorrow & you log on to your Gmail inbox to check your mails, you find sonething new on the left hand side taskbar. Google has this uncanny knack of surprising people & here comes a new funda called the priority mail. The Priority Inbox allows important emails to surface and stay up top, pushing the less relevant stuff into the background. When the Priority Inbox fails, well, you can train it by using the +/- buttons that are part of the new menu.
Google’s official homepage has lots many things to say. It says, Priority Inbox can help save you time if you’re overwhelmed with the amount of email you get. It attempts to automatically identify your important incoming messages and separates them out from everything else. Gmail uses a variety of signals to prioritize your incoming messages, including who you emailed most frequently and which messages you’ve recently opened as opposed to which messages
you’ve deleted.When you click the Priority Inbox navigation link on the left-hand side of your mail, you’ll see messages grouped in three sections: Important and unread, Starred, and Everything else.If Priority Inbox mistakes an email as important or doesn’t flag one that’s important to you, you can teach it to make better selections. Just select the message in question, and click the “mark as important” or “mark as not important” button; they’re the buttons with plus and minus icons just to the left of the Move to and Labels drop-down menus.
When you mark a message as not important, it will move out of the Important section. Over time Priority Inbox will learn what’s important to you and incorporate the feedback you give via these buttons.The signals that Gmail uses to prioritize your email are never surfaced to other users — they’re only used to prioritize your mail for you. So if you always ignore email from Bob and those messages are marked as “not important” in your inbox, it won’t affect how Bob sees the conversation in his inbox. Exciting stuff. I am pretty excited about the new feature.

Don’t get surprised when you wake up tomorrow & you log on to your Gmail inbox to check your mails, you find sonething new on the left hand side taskbar. Google has this uncanny knack of surprising people & here comes a new funda called the priority mail. The Priority Inbox allows important emails to surface and stay up top, pushing the less relevant stuff into the background. When the Priority Inbox fails, well, you can train it by using the +/- buttons that are part of the new menu.
Google’s official homepage has lots many things to say. It says, Priority Inbox can help save you time if you’re overwhelmed with the amount of email you get. It attempts to automatically identify your important incoming messages and separates them out from everything else. Gmail uses a variety of signals to prioritize your incoming messages, including who you emailed most frequently and which messages you’ve recently opened as opposed to which messages you’ve deleted.When you click the Priority Inbox navigation link on the left-hand side of your mail, you’ll see messages grouped in three sections: Important and unread, Starred, and Everything else.If Priority Inbox mistakes an email as important or doesn’t flag one that’s important to you, you can teach it to make better selections. Just select the message in question, and click the “mark as important” or “mark as not important” button; they’re the buttons with plus and minus icons just to the left of the Move to and Labels drop-down menus.
When you mark a message as not important, it will move out of the Important section. Over time Priority Inbox will learn what’s important to you and incorporate the feedback you give via these buttons.The signals that Gmail uses to prioritize your email are never surfaced to other users — they’re only used to prioritize your mail for you. So if you always ignore email from Bob and those messages are marked as “not important” in your inbox, it won’t affect how Bob sees the conversation in his inbox. Exciting stuff. I am pretty excited about the new feature.


Tags: , , , , , , , , , , , ,
Posted in Ajatus | 1 Comment »

Turbocharge Your Website

Sunday, May 23rd, 2010


On the web, people have absolutely no patience. Your link pops up in Google search, someone clicks it, and the stopwatch immediately starts ticking. If your company’s website doesn’t pop up in two to three ticks, I can guarantee that before the fourth tick visitors will click the back button and try the next links in the search results. Whether you are building your website or contracting it out, make sure your site loads quickly.


You can certainly use a stopwatch to time your site, but doing so is actually a bad idea. Your browser may store graphics and other items in its cache to decrease load times on subsequent visits, so a stopwatch may not provide an accurate indication of how long a page really takes to load for the first time visitors. Better tools are available. My favourite is Pingdom Tools at tools.pingdom.com, where you type the URL of the site or page you want to test and click the Test Now button. Pingdom Tool tests the page and displays the total time required for it to appear on the screen. Results also include a chart that displays the loading time for each object on the page, useful for identifying bandwidth hogs. If your site seems slow, it’s imortant to assess what is slowing it down. Fortunately, a couple of other free tools can help. To get started,you’ll need to install the following on your computer:

  • Mozilla Firefox web browser
  • Firebug
  • Page Speed or YSlow

To test a page, open it in Firefox, click Tools Firebug, Open Firebug and then click the Page Speed or YSlow tab and click Analyze Performance (for Page Speed) or Grade(for YSlow). Both the tools list factors that contribute to site speed, flag areas that need improvement and provide recommendations for fixing problems.


BUILDING FOR SPEED

Both You can do a number of things right now to speed the performance of your website, including:

  • Keep it simple. Don’t let window dressing slow your site.
  • Combine Cascading Style Sheets(CSS) into a single file.
  • Streamline your CSS by eliminating all unused styles.
  • If your site is running on a blogging platform, install a caching plug-in.
  • Trim images whenever possible.
  • Specify image dimensions.
  • Use CSS Sprites to combine background images into a single file.
  • Avoid flash-based websites
  • Move your website from shared to dedicated server or choose a more dependable, higher quality hosting service.
  • Use a content delivery network such as Akamai Technologies to deploy contents across geographically distributed networks.

Tags: , , , , , , , ,
Posted in Ajatus, OpenSource Software, SEO, Web Development, web | 16 Comments »

Socializing On The Move

Wednesday, April 7th, 2010

Social networking is the latest buzzword in cellphone circles, and mobile manufacturers are scrambling to offer the service to the ‘young and connected’ crowd



Just when we thought cellphones have pretty much reached the end of their tether as far as functions go — cameras, mails, music, office suites, widgets, browsers, calls, texts, multimedia editing — they seem to have sprung a surprise. Cellphones are turning out to be devices facilitating social networking. And this, in turn, has spawned a new genre of cellphones — one that is designed to keep users connected not just to the mobile network and the odd website or e-mail account, but to all their social networks as well.

Ladies and gentlemen, welcome to the era of the social network phone. Be it established players like LG, Sony Ericsson, HTC or Samsung, or relative newcomers like INQ and Micromax, this is a segment that is witnessing new product launches almost every other day, with high-profile ad campaigns — of the likes of LG Cookie Pep, the INQ Chat 3G and the Micromax Facebook phone — to boot.

Tech pundits will raise their eyebrows at this category of cellphones, claiming that users have been able to access their social networks on their handsets for a while now. Be it updates on Facebook accounts, new pics uploaded on Flickr or the latest video doing the rounds on YouTube, users have been able to keep track of it all on their handsets for a few years now. Most social networks have mobile versions, so you may well wonder what all the fuss is about.

BUILDING A NETWORK

Aircel COO Gurdeep Singh summed up the essence of social networking phones when he described the recently launched INQ chat phones as “devices which, are built with the internet at the core for a new generation with a different attitude to communication. That means a never-before, rich and authentic Facebook, Twitter and e-mail experience.”

And that is what makes this new breed of cellphones different from the routine “download a social networking app and run it” type of handset. Most of these newcomers have special features dedicated to social networks, be it a dedicated Facebook button as seen on the Micromax Q5 FB (‘FB’ standing for ‘Facebook’), special social network widgets on the LG Cookie Pep, a unified messaging and contacts option that lets you post to social networks as easily as you send an SMS, and keeps all your contacts (mobile and social networks) in one place as seen in the INQ Chat 3G, or a homescreen dedicated to fetch updates from your social networks on the Motorola Backflip. And in keeping with the largely young audience they are targeted at, these mobiles are attractively designed and come in dazzling colours. The INQ Chat 3G even comes with switchable backplates.

With the number of online social network users rising, there is a growing demand for phones with social networking features. Social networking has provided a platform for exchanging ideas without restriction on a global basis. Porting this characteristic to your mobile phone makes it easier and more convenient for people to be avid social networkers.

Samsung prefers to refer to social network-friendly phones as “messaging phones”, but its aim is the same — to keep the user connected to social networks. These phones provide users access to various networking sites, quick links to these sites through widgets, boast of fast connectivity and expandable memory space to store data and content. They offer users instant chat, messenger, and e-mail features and help them integrate and manage contacts easily. And to facilitate easy messaging, they have the Qwerty feature.

EASY ON THE POCKET

Another characteristic of many of these social networking phones is their relatively low price tag. Most of them offer features like touchscreens, Qwerty keypads and cameras without costing the earth. The Micromax Facebook phone comes for about Rs 4,000, the INQ Chat 3G for as little as Rs 7,300, the LG Cookie Zap for Rs 7,500, while the Corby Plus is just a touch over four figures — prices that are well below those of most smartphones. And yet these phones are able to hold their own against much more powerful and expensive smartphones when it comes to social networking. Suddenly, tech specs have been rendered largely irrelevant as users look for options to stay connected with minimum fuss.

It is becoming increasingly clear that what was perhaps once the privilege of those who could afford a top-end smartphone has now started making itself felt in the sub Rs 10,000 price band. The market is only going to get more competitive and only those that can provide a killer user experience will succeed. And that secret sauce is not in the hardware, but in the software.

HERE TO STAY

Although they have only recently started to make their presence felt in India, indications are that social network phones are going to be around for a while. With many organisations banning the use of social network sites on office computers, a large number of social network users are turning to their handsets to stay connected. While this would have necessitated using a high-end phone with an expensive data plan a few months ago, today this is possible at a fraction of the cost, thanks to the arrival of relatively inexpensive social network phones, coupled with data plans that are lower than Rs 100 a month for unlimited internet browsing on a handset (both Airtel and Aircel have such plans).

Peek’s Mangharam calls this trend “an acknowledgement by the mobile ecosystem, operators, device manufacturers, VAS providers etc, that social networking is now a mainstream activity and that there is a tremendous opportunity here”. And unlike some pundits, he feels that social networking apps on the cellphone actually discourages users. “Downloading an app, be it for social networking or for enabling e-mail, leads to a tremendous drop in adoption,” he explains. “Ease of setup and use is currently grossly underestimated as the killer app for phones and those companies that can offer a totally integrated experience on social networking or e-mail will stand the best chance of success.”

Samsung’s Yadav, however, feels that apps are going to be way ahead. “Consumers want more applications that they can download on their phones and customise. So newer versions of social networking phones are giving them these applications,” he points out.

Be it the app way or the integrated route, it seems social networking phones are here to stay.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in web | 15 Comments »

Leave Your Key Board Behind

Monday, March 8th, 2010


Google gesture searchTyping is sooo yesterday. Google Gesture Search, a freshman out of Google Labs, lets you find stuff on your Android phone by drawing letters on the touchscreen as if you were jotting on a notepad. In addition to Android’s existing search by voice, image, and barcode, Gesture Search is yet another keyboardless input method for your touchscreen phone. At the very least, Gesture Search is a fun proof-of-concept; at most, it will hook a few dedicated touch keyboard haters. Here’s how it works.
With Gesture Search running, you write letters by swiping your fingertip on your touchscreen as if it were a whiteboard. With each character you input, Gesture Search live-searches your phone’s contacts, bookmarks, and music and displays the results on-screen. Tap an app, contact, bookmark, or song to launch it or view the contact. (For contacts, tap the green phone icon to start a call.)
When you start Gesture Search you get a plain black screen with a cursor-like pointer on the footer. You draw your first letter, and Gestures puts it at the bottom of the screen and displays matches in your phone’s application list, contacts, bookmarks, and if enabled, your music library. Then you draw the next letter to narrow your results further.
As you can see, a letter that can pass as either an H or an A will match both. You can’t be a slowpoke while you swipe, either: Gesture Search can recognize letters that involve more than one stroke–like a T–if they’re timed correctly. That is, don’t wait too long to cross your T, or Gesture Search will think it’s an I. (Hint: If you’re consistently not fast enough, in the app’s settings set “Writing Speed” to “Slow.”)
If you want to delete a letter, you can: to backspace, in the footer, just draw a line from right to left as if you were pushing the delete key back. Then you can re-enter the character.

Typing is sooo yesterday. Google Gesture Search, a freshman out of Google Labs, lets you find stuff on your Android phone by drawing letters on the touchscreen as if you were jotting on a notepad. In addition to Android’s existing search by voice, image, and barcode, Gesture Search is yet another keyboardless input method for your touchscreen phone. At the very least, Gesture Search is a fun proof-of-concept; at most, it will hook a few dedicated touch keyboard haters. Here’s how it works.With Gesture Search running, you write letters by swiping your fingertip on your touchscreen as if it were a whiteboard. With each character you input, Gesture Search live-searches your phone’s contacts, bookmarks, and music and displays the results on-screen. Tap an app, contact, bookmark, or song to launch it or view the contact. (For contacts, tap the green phone icon to start a call.)When you start

Gesture Search you get a plain black screen with a cursor-like pointer on the footer. You draw your first letter, and Gestures puts it at the bottom of the screen and displays matches in your phone’s application list, contacts, bookmarks, and if enabled, your music library. Then you draw the next letter to narrow your results further, as shown above.As you can see, a letter that can pass as either an H or an A will match both. You can’t be a slowpoke while you swipe, either: Gesture Search can recognize letters that involve more than one stroke–like a T–if they’re timed correctly. That is, don’t wait too long to cross your T, or Gesture Search will think it’s an I. (Hint: If you’re consistently not fast enough, in the app’s settings set “Writing Speed” to “Slow.”)If you want to delete a letter, you can: to backspace, in the footer, just draw a line from right to left as if you were pushing the delete key back. Then you can re-enter the character.



Gesture Search is available for Android 2.0+ only. Search for it in the Market, or scan the QR Code below with your Android device to install it.

Tags: , , , , , , , ,
Posted in OpenSource Software, Web Development | 2 Comments »

NoSQL – The revelation that is gaining momentum

Tuesday, October 20th, 2009

The world of data storage is up for a massive shift. A whole new breed of scalable data stores is gaining popularity & that too the pace is too fast for traditional databases to recoil & grapple with. I am afraid to say, but they are starting to look like a thing of past. The whole data tier is being shaken up as Memcached appears right next to MySQL. While some might see it as a move away from MySQL and PostgreSQL, the traditional open source relational data stores, it’s actually a higher-level change. Much of this  change is the result of a few revelations.

A relational database isn’t always the model or system for every piece of data. They are tricky to scale (especially if you start with a single monolithic configuration–they aren’t distributed by design), when it comes to performance normalization hurts.

The new data stores vary quite a bit in their specific features, but in general they draw from a similar set of high-level characteristics. Not all of them meet all of these, of course, but just looking at the list gives you a sense of what they’re trying to accomplish.

  1. de-normalized, often schema-free, document storage
  2. key/value based, supporting lookups by key
  3. horizontal scaling
  4. built in replication
  5. HTTP/REST or easy to program APIs
  6. support for MapReduce style programming
  7. Eventually Consistent

And I could probably list another half a dozen qualities that many of them share too. But to me, the first two are the biggest departure form the traditional RDBMS. Of course, you can stick with MySQL and go non-relational.

The movement to these distributed schema-free data stores has begun to use the name NoSQL. You can find the overview of  some of the  implementations  by GeekTantra here.

Tags: , , , , , , , , , , ,
Posted in Database | 6 Comments »

SQL injection and its prevention

Sunday, October 18th, 2009

SQL injection a technique by which some code is injected to exploit the security vulnerability found in the application layer of the database. This is a common attack in login based website. This mostly occurs when the user input is incorrectly filtered or due to incorrect type handling.

» Incorrectly filtered user input

This attack is possible when user input is not checked for escape characters and passed into SQL statement. The statement therefore results in a complex statement to what the programmer had planned  to, thereby revealing much more data or allowing access to the parts of the database which were not supposed to be exposed.

Eg: The following line of code takes user input as (username and password) check the entry and then do some query execution.

?View Code SQL
1

SELECT * from `users` WHERE `username`="+username+" AND `password`= "+password ";

However this query can be vulnerable to SQL injection by setting the username variable as  (a’ or  ‘a’='a ) and password variable as (a’ or ‘a’='a).

This query allows the access because  ‘a’ = ‘a’  part makes the statement always true.

While most SQL server implementations allow multiple statements to be executed with one call, some SQL APIs such as php’s mysql_query do not allow this for security reasons. This prevents hackers from injecting entirely separate queries, but doesn’t stop them from modifying queries.

Eg: The previous query can me modified and made more dangerous by changing it to

?View Code SQL
1

a';DROP TABLE users; SELECT * FROM data WHERE 'a' = 'a

» Incorrect type handling

This server is vulnerable to this kind of attack when the user given input field is not strongly type checked.

Eg: In the statement

?View Code SQL
1

"SELECT * FROM data WHERE id = " + a_variable + ";"

a_variable can be replaced by  1;DROP TABLE users there by deletion of the table.

» Preventing SQL injection

  • Use Double Quotes: Replace all the single quotes that your users’ input contains with double quotes. This simple precaution will go a long way towards warding off SQL-injection attacks. Single quotes often terminate SQL expressions and give the input more power than is necessary. Replacing the single quotes with double quotes will cause many SQL-injection attacks to fail.
  • Validate All Input: Before using user input data in the SQL query validate all the user input data i.e. numbers should be validated for numbers strings for strings character etc.This prevents the user from entering codes to database.
  • Never Connect with the Administrator Account: The user which connects to the database in the script should have least privileges so that he should not be able to access all the functionalities of the database.
  • Use of latest versions: Always use of the latest versions of your interpreters and softwares like  PHP 5 and .NET 2 or 3(aspx), most SQL injection do not work because all single quotes and double quotes, which are given as the input by user are replaced by an escape characters followed by the quote ( i.e ‘ is replaced by \’ and ” is replaced by \”) preventing the SQL injection. However ASP and older version of PHP and JDBC API are vulnerable to it.
  • Use parametrized platforms: Parametrized statements can be used that work in various platforms
    1. In JDBC:
      ?View Code JAVA
      1
2
3

      APIPreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1, username);
prep.setString(2, password);
    2. In C#:
      ?View Code CSHARP
      1
2
3
4
5
6
7
8

      (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
{
    myCommand.Parameters.AddWithValue("@username", user);
    myCommand.Parameters.AddWithValue("@password", pass);
    myConnection.Open();
    SqlDataReader myReader = myCommand.ExecuteReader());
    .....................
}
    3. In PHP version 5 and above:
      ?View Code PHP
      1
2
3
4
5

      $db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute();
    4. In  ColdFusion:
      ?View Code ACTIONSCRIPT
      1
2
3
4
5

      <cfquery name="Recordset1" datasource="cafetownsend">
  SELECT *
      FROM COMMENTS
      WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric"></cfqueryparam>
</cfquery>
  • Enforcements at the coding level: Using object-relational mapping (ORMs) libraries avoids the need to write SQL code. The ORM library in effect will generate parametrized SQL statements from object-oriented code.

Tags: , , , , , , , , , ,
Posted in Database | 11 Comments »

« Older Entries