SQL Injection attacks by Store Procedure

Aug 27

posted by Pyae Phyoe Shein in CF Function, Coldfusion, CF Tag, MsSql | 3 Comments Bookmark and Share

I was in dilemma in these days because our website has been attacked by SQL Injection Attacks by the way of using store procedure command in URL variable. Finally, I can prevent this one cannot attack to our site by using like that anymore. The one use following store procedure command the after "?" of your website URL.

view plain print about
1DECLARE @S NVARCHAR(4000)
2    SET @S=CAST(0x4400450043004C00 ... 6F007200 AS NVARCHAR(4000))
3    EXEC(@S)
4    
5    DECLARE @S VARCHAR(4000)
6    SET @S=CAST(0x4445434C41524520 ... 736F7220 AS VARCHAR(4000))
7    EXEC(@S)
8
9    DECLARE @S CHAR(4000)
10    SET @S=CAST(0x4445434C41524520 ... 736F7220 AS CHAR(4000))
11    EXEC(@S)

The above three variants have been injected through an HTTP GET: Decoding the binary string to its textual form reveals the T-SQL script below, which has been slightly formatted and edited for purposes of clarity. For those who are not proficient in the syntax, the script simply creates a cursor through which it browses for all columns of certain data types (textual) in all user-defined tables underlying the database. Next, the T-SQL script affixes a JavaScript reference (to the malicious script) to the current values contained in each such column.

[More]

This entry was posted on August 27, 2010 at 6:32 AM and has received 1135 views. There are currently 3 comments. Print this entry.

Make simple DOS attach with ASP.NET

Aug 27

posted by Pyae Phyoe Shein in Project | 0 Comments Bookmark and Share

I've describe how to make simple DOS attack with Asp.Net. My purpose of writing this thread isn't to annoy web administrator. My point is how to prevent Dos attack and how to abort Dos attack for our website.

view plain print about
1for( int i = 0; i < 100000; i ++ )
2 {
3     WebClient client = new WebClient();
4     client.DownloadString("http://www.mysite.com");
5 }

This entry was posted on August 27, 2010 at 6:32 AM and has received 612 views. There are currently 0 comments. Print this entry.

Prevent spontaneously attempted login attack

Aug 27

posted by Pyae Phyoe Shein in CF Function, Coldfusion, CF Tag | 0 Comments Bookmark and Share

Sometimes, most of our websites have been attacked by spontaneously attempted login attack by bots. That's why we gotta prevent anyone cannot do like that in our web application. Fortunately, it's very simple to do in ColdFusion. Here is coding...

view plain print about
1<cfif session.FailedLogin GT 3>
2    <cfabort message="Please contact website administrator.">
3</cfif>
4<cfif loginsuccessfully ....>
5    Write your code here
6<cfelse>
7    <cfparam name="session.FailedLogin" default="0">
8    <cfset session.FailedLogin = session.FailedLogin + 1>
9    <cfabort message="Invalid Username and password">
10</cfif>

This entry was posted on August 27, 2010 at 6:32 AM and has received 496 views. There are currently 0 comments. Print this entry.

Planet Wedding 2008

Aug 27

posted by Pyae Phyoe Shein in Project, Coldfusion | 0 Comments Bookmark and Share

Planet Myanmar is going to launch Wedding 2008 section. But, this section is under construction and not launched officially yet. Like old sections, it has Songs section, Articles sections, Blog sections, Guide sections and so on. You can write your own articles and blogs in this page.

Planet Wedding 2008

This entry was posted on August 27, 2010 at 6:32 AM and has received 454 views. There are currently 0 comments. Print this entry.

Image Navigation with javascript

Aug 27

posted by Pyae Phyoe Shein in Project, Javascript | 1 Comments Bookmark and Share

New featured section called Planet Wedding 2008 has Image gallery section. As I told in previous posts, I've created such new featured section with database less theory. For image gallery, I gotta set image navigation button such as next | previous. Database less theory, it's too hard to put this navigation link in this section.

Fortunately, I've an idea to create this with javascript. It's neither quite simple nor complicated. Here is javascript coding.

Put following code in JS file.

view plain print about
1which_image_loaded = 0;
2NUMBER_OF_IMAGES = 8; //number of your image
3
4ImageNames = new Object();
5ImageNames.length = NUMBER_OF_IMAGES - 1;
6
7for (counter = 0; counter < NUMBER_OF_IMAGES; counter++)
8{
9file_number = counter + 1;
10filename = ("[your_directory_path]" + file_number + ".jpg");
11ImageNames[counter] = filename;
12}
13
14function changeImage(direction)
15{
16which_image_loaded += direction;
17if (which_image_loaded < 0)
18{
19which_image_loaded = NUMBER_OF_IMAGES - 1;
20}
21
22if (which_image_loaded == NUMBER_OF_IMAGES)
23{
24which_image_loaded = 0;
25}
26
27if (document.images)
28{
29document.SlideShow.src = ImageNames[which_image_loaded];
30}
31
32}
Put following code in your HTML file.
view plain print about
1<div><img src="thumbnail/1.jpg" name="SlideShow" border="0"></div>
2<div><a href="javascript:changeImage(-1)">Previous Image</a> | <a href="javascript:changeImage(1)">Next Image</a></div>

If you want to use this coding, you must do these two following instruction- The file name of images must be numeric and order format like (1.jpg, 2.jpg, 3.jpg, 4.jpg....). All of images must be in the same directory of the same folder.

This entry was posted on August 27, 2010 at 6:32 AM and has received 890 views. There are currently 1 comments. Print this entry.

Parse XML with ColdFusion

Aug 27

posted by Pyae Phyoe Shein in CF Function, Coldfusion, CF Tag | 0 Comments Bookmark and Share

We're now doing project with different language, VB6 and CFMX7. One part of our projects, we need to send our data each other without uploading database files. That's why we need to consider about exporting and importing XML files. In CFMX7, reading XML isn't kinda complicated. Here is coding...

view plain print about
1<cffile action="read" file="myfile.xml" variable="XMLFileText" charset="UTF-8">
2<cfset MyXMLDoc = xmlParse(XMLFileText)>
3<cfset MyXMLNodes = xmlSearch(MyXMLDoc,'/Values/Comment')>
4<cfloop from="1" to="#arraylen(MyXMLNodes)#" index="i">
5    <cfset GetXMLNodes = xmlparse(MyXMLNodes[i])>
6    <cfset ID = GetXMLNodes.Comment.CommentID.xmlText>
7    <cfset type = GetXMLNodes.Comment.CommentType.xmlText>
8    <cfset message = GetXMLNodes.Comment.CommentMessage.xmlText>
9</cfloop>

This entry was posted on August 27, 2010 at 6:32 AM and has received 1657 views. There are currently 0 comments. Print this entry.

Planet Thingyan

Aug 27

posted by Pyae Phyoe Shein in Project, Coldfusion | 0 Comments Bookmark and Share

I've recently created Thingyan 2009 at Planet Website. It's just featured page as Planet Style.

Thingyan

This entry was posted on August 27, 2010 at 6:32 AM and has received 604 views. There are currently 0 comments. Print this entry.

Upload files with jQuery, Ajax and PHP.

Aug 27

posted by Pyae Phyoe Shein in PHP, jQuery, Ajax, Javascript | 0 Comments Bookmark and Share

In these days jQuery and Ajax are so popular in web development. One of my clients told me that, they want to upload multiple files without clicking button. That's why I have had an idea to integrate jQuery, Ajax and PHP.

Download jQuery Here

Download ajax jQuery plugin

Create Upload Button like

view plain print about
1<div id="upload_button">Upload</div>

Write following simple coding in your upload form

view plain print about
1// You must create it only after the DOM is ready for manipulations
2// Use $(document).ready for jquery
3// document.observe("dom:loaded" for prototype
4new AjaxUpload('upload_button_id', {action: 'upload.php'});
Configure at Ajax Upload
view plain print about
1new AjaxUpload('#upload_button_id', {
2 // Location of the server-side upload script
3 action: 'upload.php',
4 // File upload name
5 name: 'userfile',
6 // Additional data to send
7 data: {
8 example_key1 : 'example_value',
9 example_key2 : 'example_value2'
10 },
11 // Submit file after selection
12 autoSubmit: true,
13 // The type of data that you're expecting back from the server.
14 // Html (text) and xml are detected automatically.
15 // Only useful when you are using json data as a response.
16 // Set to "json" in that case.
17 responseType: false,
18 // Fired after the file is selected
19 // Useful when autoSubmit is disabled
20 // You can return false to cancel upload
21 // @param file basename of uploaded file
22 // @param extension of that file
23 onChange: function(file, extension){},
24 // Fired before the file is uploaded
25 // You can return false to cancel upload
26 // @param file basename of uploaded file
27 // @param extension of that file
28 onSubmit: function(file, extension) {},
29 // Fired when file upload is completed
30 // WARNING! DO NOT USE "FALSE" STRING AS A RESPONSE!
31 // @param file basename of uploaded file
32 // @param response server response
33 onComplete: function(file, response) {}
34});

Add following coding in your upload form

view plain print about
1//You can use these methods, to configure AJAX Upload later.
2var upload = new AjaxUpload('#div_id', 1, {action: 'upload.php'});
3//For example when user selects something, set some data
4upload.setData({'example_key': 'value'});
5
6//Or you can use these methods directly inside event function
7new AjaxUpload('div_id', 1, {
8action: 'upload.php', 1,
9onSubmit: function() {
10// allow only 1 upload
11this.disable();
12}
13});
14});

Here is server-side script, upload.php

view plain print about
1move_uploaded_file($_FILES["file"]["tmp_name"],
2"upload/" . $_FILES["file"]["name"]);

Best Credit To : http://valums.com/ajax-upload

This entry was posted on August 27, 2010 at 6:32 AM and has received 1186 views. There are currently 0 comments. Print this entry.

Electronic Press Scrutiny & Registeration System

Aug 27

posted by Pyae Phyoe Shein in Project, Coldfusion, MsSql | 0 Comments Bookmark and Share

EPSR

This website called "Electronic Press Scrutiny & Registeration System" is just for Myanmar Press Scrutiny & Registeration System. It's just offline program. This program supports our clients to send their publications step by step through this program and comment to these.

Systems :

IIS, CFMX, SQL 2005

This entry was posted on August 27, 2010 at 6:32 AM and has received 509 views. There are currently 0 comments. Print this entry.

PHP Demo project

Aug 27

posted by Pyae Phyoe Shein in PHP, Project | 0 Comments Bookmark and Share

One of my friends gave a chance to me to do outsource PHP project for one training center. Her client want to advertise their trainings, their products and their news through internet. It's simple project but their main point is use can know on the fly the total price of computer once he/she choose each device. It's create by ajax.

Main website :  http://ppshein.freehostia.com/

Compare price : http://ppshein.freehostia.com/compare.php

This entry was posted on August 27, 2010 at 6:32 AM and has received 1335 views. There are currently 0 comments. Print this entry.

Top of Page