Simple SQL Injection

SQL Injection is a technique used to exploit security holes in a system using SQLs such as MySQL. This kind of security hole usually occurs when a programmer doesn’t filter quotes or other meta-characters properly. The following code is an example of a such a vulnerability.

if(mysql_query("SELECT * FROM member_tables WHERE id = '".$login_id."' and password = '".$password."'")){
[...code for login...]
}

If quotes aren’t stripped from the variables $login_id or $password, a malicious user can inject SQL functions. They could login as the first user, in most cases the administrator, by typing in something like this into either of the two variables:

s' or 1=1 --

The one line can be catastrophic to a website’s security. If the quote isn’t filtered, the script will read the code like this

if(mysql_query("SELECT * FROM member_tables WHERE id = 's' or 1=1 --' and password = '[password]‘)){
[...code for login...]
}

The or statement makes it so even if only one condition matches, it will return a true value and execute the script. Since 1=1 is always true, the script will launch no matter what. The rest of the SQL statements are commented out by the two dashes (–). Is this the end? Nope.. If the security of the site is so weak, some one could easily delete all the members from the database. It’s just like the one above, but you add a bit of code and do a bit of guesswork.

s' or 1=1;DROP TABLE member_table; --

This would render this in the script

if(mysql_query("SELECT * FROM member_tables WHERE id = 's' or 1=1;DROP TABLES member_table; -- --' and password = '[password]‘)){
[...code for login...]
}

That just deletes the table. End, unless you have backup.

As devastating as this can be, it’s also very simple to prevent. You simply escape or remove quotes from a query using a built in function. In the case of PHP, the addslashes() function does the trick. So, the script above should be fixed to

$login_id = addslashes($login_id);
$password = addslashes($password);
if(mysql_query("SELECT * FROM member_tables WHERE id = '".$login_id."' and password = '".$password."'")){
[...code for login...]
}

This function adds backslashes (\) before metacharacters which lets the character be treated as just a string and not a special one that affects the acting of the query.

No Comments
April 27, 2009 by K Park in Security, The Internet
Tagged , , ,

Web Standards

It has been a while since I started to follow web standards and started cross-browser coding (not to be confused to cross-site scripting). I became aware of the importance when I saw the immense number of visitors using Firefox and IE Explorer along with other browsers like Safari and Opera. I even got visitor using the Play Station 3 browser. I figured I couldn’t just ignore people using browsers my site didn’t support, so I learned about the W3C Recommendations and basic cross-browser scripting. I stopped using IE specific functions and properties. A book that helped me is SAMS Teach Yourself JavaScript in 24 Hours. It’s up-to-date and includes information on cross-browser scripting and web standards.

The first step of following web standards is reading the W3C XHTML recommendations. I suggest using the XHTML Transitional DTD since the Strict DTD is literally strict. A DTD is a Document Type Definition and it basically defines the regulations of web standards and is used to validate your XHTML code. Then you can start validation your websites using the W3C Validator to check whether the document is valid in the DTD you chose.

The second step is to learn how to code your JavasScript to work in all browsers. JavaScript can be scripted to be cross-browser multiple ways, but the most widely used method is by using the try and catch method. The following is an example of a cross-browser AJAX object initialization.

try{
  // Firefox, Opera 8.0+, Safari, IE7
  ajaxReq = new XMLHttpRequest();
  }catch(error){
    // IE5, IE6
    try{
      ajaxReq = new ActiveXObject("Msxml2.XMLHTTP");
      }catch(error){
        try{
          ajaxReq = new ActiveXObject("Microsoft.XMLHTTP");
          }catch(error){
            return false;
          }
        }
      }
    }
  }
}

This script tries a method and if an error occurs it detects it and executes the code within the catch expression. There can be a try expression within a catch expression and thus a cross-browser script can be coded this way.

To successfully code in cross-browser format, you should learn what functions or properties are IE or Firefox specific and avoid using them. Web standards are cross-browser coding are becoming more important by the second, so it iss to your benefit to get used to them as apply them when you’re coding.

No Comments
April 27, 2009 by K Park in The Internet, Web Development
Tagged , , , ,

Crazy Windows with JavaScript

Ever seen a browser window shake like crazy? Well here’s a script for it. You can start annoying all your friends with this simple yet crazy script.

This very simple code can shake browser windows, possible driving people crazy. It tends to stop on Internet Explorer (I have not tested it on Internet Explorer 8) if you click on another window, but it works nicely on Firefox and other standard compliant browsers.

<script type="text/javascript">
function lol(){
 self.moveTo(Math.random()*100,Math.random()*100);
 window.setTimeout("lol()",50);
}
window.setTimeout("lol()",50);
</script>

This code first defines a function called lol() which contains the self object connected to the moveTo() function. The notation is:

moveTo([distance from left],[distance from top])

The example above generates a random string which is between 0 and 1(like 0.5487732…) using the random() function of the Math object and multiplies it by 500 to make a number that’ll move the window enough.

We then have the setTimeout() function. The notation of this one is:

setTimeout("[function]“,[time(in milliseconds)])

So, in this case, the position of the window changes every 50 milliseconds. You can adjust this to make it faster or slower.

Have fun!

Preview the example (press alt+f4 to close)

No Comments
April 20, 2009 by K Park in Tutorials
Tagged , ,

FLV Downloader Tips

The FLV video downloader I designed was written in PHP and some Javascript on the client side. So you’ll need to know a bit of PHP to understand how this works. It’s actually very simple, all you do is get the source from YouTube and then parse it so only the address of the .flv file is left. The following script locates the download URL and returns it. This is the core to any downloader (it’s the same concept for even Google Video downloaders and so on).

<?php
function get_video_url($id){
  $url = "http://youtube.com/watch?v=".$id;
  if ($contents = @file_get_contents($url)) {
    if (preg_match('/video_id=\S+&.+&t=.+&f/i', $contents, $match)) {
    $vars = $match[0];
$url = “http://www.youtube.com/get_video?”.$vars;
return $url;
}
}
}
?>

Line by Line Analysis

This line by line analysis of the code above should help you understand the script better.

function get_video_url($id){

This line declares a function (a repetitively usable operation) called get_video_url() so we can use it easily and efficiently. The $id is the video id from YouTube and would be a submitted value, something like FzRH3iTQPrk.

$url = "http://youtube.com/watch?v=".$id;

This line stores the youtube url will the video id in the variable $url.

if ($contents = @file_get_contents($url)) {

This line of code stored the HTML code of the YouTube page ($url) by using the file_get_contents()
function (note that some hosting services may have disabled the function). The line below it will only be executed if $contents is not empty since the if() operator is controlling it.

if (preg_match('/video_id=\S+&.+&t=.+&f/i', $contents, $match)) {

This is the core of the whole thing. It finds the required
information to get the video URL from the source code by searching the HTML code with regular expressions using the preg_match() function. This function uses regular expressions to find patterns in a variable (in this case $html) and puts the results as arrays into another variabe (in this case $match).

$vars = $match[0];

This line stores the needed information from the array $match[0] (which is the first item) into the $vars variable.

$url = "http://www.youtube.com/get_video?".$vars;

This line finally puts the information together to get the full video URL. It’s quite simple, it’s just combining the found information and http://www.youtube.com/get_video together.

return $url;

This line just returns the $url variable so we can use it later. The function can then be used by doing something like this:

echo get_video_url($url);

The rest is just closing the function and the if() operator. Try to look the function up in the PHP manual (they’re linked above).

Tips

If you want to make a downloader for other sites, try using this method:

  1. Get the firefox plugin: tamper data
  2. Go to the site with tamper data open and see what requests come in.
  3. Look for an xml page or an flv file.
  4. Look for a pattern and see how you could automate this.
  5. Write a script for it.
No Comments
April 19, 2009 by K Park in Tutorials
Tagged , , ,