Windows Web Hosting, Web Technologies, etc
Archive for October, 2006
SQL Injection Attacks
Oct 6th
If you write any kind of script on the Internet be it ASP, ASP.net, PHP, PERL, Ruby, Python, anything that accesses a database then you should be aware of SQL Injection attacks.
This posting is going to reference two other blogs, one is the great Scott Guthrie’s blog (best damn blog on ASP.net on the Internet) and his post on Guarding Against SQL Injection attacks.
The second blog we’ll reference is Scott’s inspiration for his blog article, Michael Suttons blog and his work to see just how bad SQL injection is on the Internet. Michael did a quick google search and sampled something like 1000 websites and found that 11% of them were vulnerable to SQL injection.
Both blogs do an excellent job detailing SQL injection and providing links and references on how to fix your code and where to get more information on good coding security.
My addition to all this is that I’m going to add Secunia.com. Secunia.com provides a database of open and closed vulnerabilities for various applications and operating systems. Everything from Cisco to Windows is included here.
I get a constant stream of email updates from secunia.com and each day I get atleast one email with either a SQL Injection or Cross Site Scripting vulnerability being listed so I know firsthand just how widespread the problem really is. I did a quick search on their database for SQL Injection and it found 1288 applications that either had or have a SQL injection vulnerability. Folks, SQL Injection is a huge issue.
If you’re going to purchase a web application or install any sort of web application (PHPBB, OSCommerce, Storefront, aspdotnetstorefront, you name it) I recommend you search Secunia’s database first.
links for 2006-10-06
Oct 6th
links for 2006-10-04
Oct 4th
Read that EULA & PUR! That’s what I learned today!
Oct 3rd
I recently posted a blog entry about my ‘informal’ apples to oranges comparison of the different virtualization platforms available for windows. Apparently I didn’t spell it out clear enough that things were not on a level playing field. Well, guys I did it. I went and pissed off Bob. Sorry Bob.
But Bob taught me a couple lessons:
first don’t post half a**ed comparisons without coming out and telling everyone they are half a**ed comparisons and making it blatantly obvious they are half a**ed. I thought I described the different hardware that I had available at the time and mentioned that I had a brand new server on the way to do a real benchmark. He’s 100% correct though so I’m saying it here: Guys my benchmark from 10/1 is half-assed! There I said. (but you can bet your a** I’m going to be very thorough in my next test using the same exact machine all running only ONE virtual instance!)
second, read the EULAs & PURs! (that’s End User License Agreement and Product Use Rights) before you go doing something stupid like creating a half a**ed comparison and posting your results on the Internet. So basically don’t just click “I Agree” and run off installing that application.
So here’s what I learned:
1. VMware’s EULA states:
You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study. Please contact VMware at benchmark@VMware.com to request such review.
Okay so I can share my results with others just I can't publish them or publicly make them available. Seems like privately sharing my results is okay though?
2. Microsoft's Product Use Rights (a 66 page word doc of legalese) says:
i. Software. You must obtain Microsoft
