How to find + stop SQL injection attacks

There’s a lot of stuff out there about SQL injection attacks, but there’s not much that will help you figure out how to stop these attacks from occurring.

First, let’s talk about what a SQL Injection Attack really is. Some people think it’s a virus of sorts, that is “inside your site.” Not the case. These are bot attacks by other virus infected computers. They simply use a brute force approach of scanning URLs that take POST/GET inputs and attempt to send their own data to them.

So, how do you track these down and stop them? For web sites powered by Microsoft’s IIS, here are our suggestions:

1. Look at your IIS logs
   Try searching for the word “DECLARE” or “EXECUTE.” If you’ve been hit by an attack, these will more than likely show up in your IIS logs — at least for any attack that was attempted using “GET” posts. If you do find any instances of “DECLARE” or “EXECUTE” these are the pages to start with.
2. Use centralized database connection handling
   Simple, make a centralized file (e.g. connection.asp if you are using ASP) that handles all of your DB access. This way, it’s easier to make sure that you are SQL encoding your pages. You can easily search queries for “DECLARE” and “EXECUTE” and stop the attacks dead in their tracks.
3. Implement a site wide solution
   If you are running your own server, we highly recommend ISAPI_Rewrite from HeliconTech (http://www.helicontech.com/isapi_rewrite). This is an ISAPI filter that allows you to do a variety of things, including scan URL data. This will stop 99% of attacks without changing ANY code on your site!\
4. Never use “sa” as your database user, create a user for the database you’re working from and then remove privileges to read the master dbo. This prevents the attacker from “sniffing” your database structure, however, these attacks have evolved so that sanitized stored procedure based attacks happen even with these types of security in place. See http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf for more information on this and other ideas in preventing SQL Injection attacks.

If you’ve ever been scratching your head wondering where the leak in your programming is (or have taken over a project from someone else) then the best way to determine through which page the attack happened is by checking out the IIS logs.

There are many scripts available to clean up, but the best tip is to backup hourly, and to follow best practices (some of which I highlighted here). Good luck

Easiest & Most comprehensive Mail Marketing tool

iContact’s main to goal is to incorporate sophisticated features into a simple, easy to use and affordable package. Although many programs attempt to achieve this balance, iContact does so incredibly well.

Great User Interface

iContact is able to do this because of their great user interface, which allows new email marketers hit the ground running with basic features, but also makes it simple for the more experienced to access the features they need. Either way, iContact has created an awesome product, which is why over 50,000 customers currently use iContact.

Basic Features You’ll Love

iContact makes it easy for new email marketers to get in the game quickly:

• Inexpensive: just under $10/month to start!
• Over 300 professionally designed email templates make your emails look professional
• Schedule your messages to be distributed in the future to help save time
• Their system automatically makes sure your emails won’t be flagged as SPAM, so your users will always get your emails.
• Track what your subscribers do with your emails, so you know how well your newsletters are being received.
• Event RSVP tracking
• Distribute surveys easily

.

.

Advanced Features You’ll Love

Professional email marketers also get everything they need to manage their bulk email lists:

• Quickly segment your email list to customize which subscriber types get certain emails
• Set-up autoresponders to help automate your email campaigns
• iContact maintains a detailed history of subscriber actions to help you customize your campaigns
• Design and upload your own email templates
• Unlimited number of email lists

Downside: iContact’s Support Hours

The only downside to iContact is the hours they are available to call. Support is not 24×7, but from 8am to 8pm EST. However, their support staff is very helpful, and many times you will find that it’s actually easier to use their online knowledge base, which has video demonstrations and step-by-step instructions to help you with everything you need.

iContact Pricing

With iContact’s pricing, you only pay for the amount of emails you are going to send, which means that you can start off with an inexpensive plan and pay more only when you know that your newsletter is successful. Plus, iContact is one of the most affordable email marketing providers available.

Contacts	Monthly
250	$9.95
500	$14.00
1000	$19.00
2500	$29.00
5000	$47.00
10000	$74.00
15000	$109.00
25000	$149.00
35000	$239.00
50000	$379.00
75000	$529.00
100000	$699.00

Is It Right For You?

Because of its features and ease of use, iContact is best for both new email marketers just getting started as well as advanced email marketers who have years of experience. However, if you are a Fortune 500 company or have an extremely large email list (over 100,000 subscribers), iContact probably isn’t right for you.

Basically, iContact has everything you will need to run successful email marketing campaigns.

Changing Table Ownership in SQL Server

Recently I had the unfortunate event of a live server being setup and used by only 1 user which wasn’t dbo. Either the programmer didn’t know any better or… well… he was the village idiot… anyway, so… on with the code. Here is a simple T-SQL statement that will get and loop through all Stored Procedures, Tables and Views and update them to use dbo (or any other user you’d like):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

DECLARE @tbl sysname
DECLARE tblcur INSENSITIVE CURSOR FOR
	SELECT name FROM sysobjects
	WHERE xtype IN ('U','V','P') AND uid = user_id('olddbuser')
OPEN tblcur
WHILE 1 = 1
	BEGIN
		FETCH tblcur INTO @tbl
			IF @@fetch_status <0
				BREAK
 
			SET @tbl = 'olddbuser.' + @tbl 
			EXEC sp_changeobjectowner @tbl, 'dbo'
	END
DEALLOCATE tblcur

Using openrowset to connect directly to another database without a linked server and execute a stored procedure

1
2

SELECT *
FROM OPENROWSET('SQLOLEDB',database_location;username;password, 'set fmtonly off exec database.dbo.stored_Procedure') AS Whatever

The above piece of code is self-explanatory. I’ve only used this in SQL 2005 though, so if it doesn’t work on SQL 2000 don’t come crying to me.

Replace database_location with the IP/Destination of the server you’d like to connect to
Replace username/password with… well… do I really have to explain this?
Replace database with the catalog/database you’d like to query
Replace stored_Procedure with the stored procedure you’d like to execute
The “As Whatever” is necessary. You could name this anything you’d like.

I’ve used the above to query a database directly for data extraction/manipulation. You could go as far as to inner join this in your normal queries if you’re not doing an update/add cursor loop on this.

Enjoy. Took me a while to figure it out

IP-to-Country lookup, for free and 95% accurate

One of my recent posts showed you how to convert an IP address to an IP number so you could do a lookup on a IP-to-Country database.

However, I’ve found the next best thing. Maxmind.com is one of the leaders in GeoIP location and sports a database that is more than 99% accurate. That’s the paid version. For my project though, I only needed to know the country, and had to be pretty accurate.

Welcome Maxmind’s free JavaScript addon API! 95% accurate and does what I want it to do.

1
2
3

<script type="text/javascript" src="http://j.maxmind.com/app/country.js"></script>
var countryCode = geoip_country_code();
alert(countryCode);

And that’s IT! You don’t have to host the database, you don’t have to do the number conversion yourself and pretty much everything else is taken care for you. The free service also included City lookups! Include and enjoy!

Here’s the link to their site: http://www.maxmind.com/app/javascript_city

Looping through a 2-dimensional array with jQuery

I recently opened my eyes to the wonderful world of jQuery. *drifts off into a fantasy*

Here’s an example of how to loop through a 2-dimensional array using jQuery. Fun & Easy:

1
2
3
4
5
6
7

var currencyTocountryName = [['USD','U.S. Dollar (USD)','$'],['GBP','British Pound (GBP)','£'],['EUR','Euro (EUR)','€'],['AUD','Australian Dollar (AUD)','$'],['CAD','Canadian Dollar (CAD)','$'],['NZD','New Zealand Dollar (NZD)','$']]
$.each( currencyTocountryName,
           function( i, value ){
                   alert(value[0]);
                   alert(value[1]);
            }
);

As you can see it’s pretty straight forward. No need to have “i” be the place holder, a simple value[0] will get you the first value in the array. This must be the easiest implementation of a loop and array I’ve done in years. Sure, by now I can do a simple JavaScript loop in my sleep. But without thinking and a lot less code, jQuery allows me to leverage off that power. *Drifts off into a fantasy once again*

How to show only the time value in getdate()

I was busy messing around today and did the following I think some people will appreciate when I just wanted to compare the time of day and not the date:

1
2
3
4

IF DATEADD(DAY, -DATEDIFF(DAY, 0, GETDATE()), GETDATE()) > '15:30:00.000'
 BEGIN
    PRINT 'yay'
 END

toLowerCase() not a function error

What I found most annoying was that IE perfectly handled this, but not FireFox.

Here is what this “toLowerCase() not a function error” really means:

The object you’re trying to lowercase is NOT a string object. By using

1

alert(typeof(object));

you can determine what type the JavaScript engine thinks the object is. A simple solution is:

1

object.toString().toLowerCase;

I hope someone finds this information helpful as it took me several hours of research on the internet to come up with a clear concise and TO THE POINT answer of what it actually could be and in fact, was.

I wish all the know-it-all’s would stop pretending they know anything about anything and just piss off of the internet.

Listing of all ports

I was trolling for information and thought that this website was very helpful. It lists all Network Ports used by Microsoft Products. This is a handy reference for anyone setting up firewall rules or wanting to connect to specific ports using their own 3rd party software

How to read a remote queue with System.Messaging

Seeing as this “feature” is undocumented (or seem to be) on MSDN and most tutorials you’ll find out there reads and writes to private local queues, I thought I’d share how you’d write or read to a remote queue using System.Messaging :

1

msmqqueue.Path = "FormatName:Direct=TCP:127.0.0.1\Private$\queuename"

I hope this information proves valueble for someone that might need it and can’t find any documentation anywhere else.

Next Page »