| |
|
Hacked
|
| |
|
|
| |
| A few weeks ago I had to fend off a hacker. Some of the database statements
I created for another website were susceptible to SQL injection. This means I created
the statements like this. |
| |
string query = "select name, email, comment " +
"from blogs where postdate >= " + DateTime.Now.AddDays(-15);
|
| |
| This is not good because a hacker can place something like: |
| |
"’ or 1=1 "
|
| |
| Into the query value and get all the data versus avoiding the
constraint. This is an extra problem with login and password functionality.
If you have a query which is formatted like the above which checks user id and
password using a simple where clause, then your system is open to the simplest
attack known to man. |
| |
| But anyway, I fixed the problem, I won’t share what I did because it
could open other holes so, just know that I am watching, on the ball and the problem
is fixed. This is NOT a challenge, leave my website alone. |
| |
| And recently another attack happened on this website. I have a feedback
form with limited validation, so really anyone can put anything into the fields and
submit. Others will see the entered data. What someone or people have done was put
other web addresses or JavaScript into the comment form which either redirected or
presented the person with some advertisement. So, I fixed that one using the
RegularExpressionValidator server control. You can still put in web addresses
however no links or special characters are allowed. |
| |
| I still enjoy getting comments, please continue and keep learning… |
| |
| The tools below represent some of the restrictions I have placed on the website
sue to hackers. |
| |
| Download the source |
| |
|
| |
|
|
| |
|
|
| |
|
|
| |
| |
| Posts: 113 |
| Comments:
86 |
| Fundamentals:
16 |
| |
 |
| |
| |
|
| |
 |
| |
 |
| |
 |
| |
|
| 2011 December (2) |
| 2011 November (6) |
| 2011 October (7) |
| 2011 September (7) |
| 2011 August (9) |
| 2011 July (9) |
| 2011 June (8) |
| 2011 May (9) |
| 2011 April (7) |
| 2011 March (9) |
| 2011 February (8) |
| 2011 January (8) |
| 2010 December (7) |
| 2010 November (8) |
| 2010 October (4) |
| |
| |
|
| |
|
|
| |
| |
|
The sample code on this website is provided to illustrate a concept and should not be used in
applications or Web sites without proper professional consultation, as it may not illustrate
the safest coding practices. I assume no liability for incidental or consequential damages
should the sample code be used for purposes other than as intended.
|
| |
|
| | | |
Newsletter | 
RSS Feeds
