My “SQL Injection Attacks and Tips on How to Prevent Them” talk has been chosen for SQL Bits V held near Newport in Wales. It will be held during the FREE community day on Saturday 21st November.
Visual Studio / SQL Server install order on Windows 7
Quite a while ago I blogged about the Visual Studio / SQL Server install order on Windows Vista. I’m about to go through a similar exercise on Windows 7 and given the issues I had then I thought that it would be only right to document the procedure in case any problems arose.
Last time, it would seem, the best solution was to install things in the order in which Microsoft released them with the notable exception of the operating system. So this time, that is the strategy that I’m going to take. Windows 7 is already installed on my laptop. Then I’m going to install Visual Studio 2008, then SQL Server 2008, then any patches for either and we’ll see how we get on.
I’m also going to ensure that I do NOT install SQL Server Express Edition on Visual Studio 2008 as I’ve had problems with that before. Essentially, the problem last time was that the SQL Server installer mistook Visual Studio’s SQL Server Express installation has having installed certain things. The SQL Server installation therefore didn’t want to repeat what it didn’t need to so it refused to install the client tools.
Install Order
- Visual Studio 2008, excluding SQL Server 2005 Express Edition
- MSDN Library (This is optional – I installed it because I’m occasionally developing on the road with no or limited connectivity)
- Visual Studio 2008 Service Pack 1 (this is required in order to install SQL Server 2008 – the installation will fail otherwise)
- SQL Server 2008 Developer Edition
- Install SQL Server 2008 SP1
That’s it – Job done. And it only took me two attempts to get it right this time. My stumbling block here was the order in which I applied the service packs.
NMA – Top interactive agencies
This years New Media Age top interactive agencies list is out. I’m quite please to see that I work for a company that is doing very well in the list.
I work for Equator which is currently the top ranking agency in Scotland, and #41 in the UK.
The bit I’d like to point out, just to blow my own trumpet, is the last paragraph:
“Key hires include Scottish Developers chairman Colin McKay [sic] as senior developer…” – NMA
My First OpenRasta Project – Part 2 (Resource Templates)
To get started see part 1.
For this part the Invoice class has been expanded to include another property, you’ll see why in a moment. For now, it now looks like this:
public class Invoice
{
public string Reference { get; set; }
public DateTime Date { get; set; }
}
Up to this point we are just showing some simple XML based on one of the built in codecs that ship as part of OpenRasta. There is a single URI and it always returns the same thing. So far there is nothing much going on.
You can keep on adding resources to the ResourceSpace when you are configuring the site, but that is hardly a scalable solution when so many applications are based on dynamic data. You need a way to define a resource template.
The way this is done is by adding place holders into the URI. These placeholders are defined by a set of curly braces with a parameter name inside. This is a bit like the string.Format method, except you can use meaningful names instead of the ordinal position of the parameter.
The configuration of the ResourceSpace in the Configuration class is changed to:
ResourceSpace.Has.ResourcesOfType<Invoice>()
.AtUri("/invoice/{reference}")
.HandledBy<InvoiceHandler>()
.AsXmlDataContract();
As you can see the only difference is that the parameter on the AtUri method is changed.
OpenRasta will then look in the handler for a method that matches the HTTP verb and the parameters defined in the template.
The InvoiceHandler now has a method that looks like this:
public Invoice Get(string reference)
{
Invoice result = InvoiceRepository.GetInvoiceByReference(reference);
return result;
}
Don’t worry about the InvoiceRepository. It simply exists to get an Invoice object from somewhere. It could be from a database, in memory, a file or wherever.
We can now go to the uri /invoice/123-ABC and get the output:
<?xml version="1.0" encoding="utf-8"?>
<Invoice xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.datacontract.org/2004/07/MyFirstOpenRastaProject.Resources">
<Date>2009-09-30T00:00:00+01:00</Date>
<Reference>123-ABC</Reference>
</Invoice>
However, that’s not the whole story. You can do some pretty neat things with resource templates.
For example, if the method parameter on the resource handler is a DateTime object you can build up the URI template using the property names in the DateTime object. The template parameters will then be mapped to the properties in the DateTime object.
First the configuration has to be updated:
ResourceSpace.Has.ResourcesOfType<Invoice>()
.AtUri("/invoice/{reference}")
.And.AtUri("/invoice/{day}/{month}/{year}")
.HandledBy<InvoiceHandler>()
.AsXmlDataContract();
There is only one additional line here and that is to add a URI with a template containing the day, month and year. It is still the same type of resource and the code hasn’t changed. All that is new is the URI template. If you were to attempt to create a brand new ResourceSpace for the Invoice resource you’d get an error that the resource type was already registered in the system.
The InvoiceHandler class will need an additional method to handle the new template. The new method looks like this:
public Invoice Get(DateTime date)
{
Invoice result = InvoiceRepository.GetInvoiceByDate(date);
return result;
}
The result for the URI /invoice/29/09/2009 looks like this
<?xml version="1.0" encoding="utf-8"?>
<Invoice xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.datacontract.org/2004/07/MyFirstOpenRastaProject.Resources">
<Date>2009-09-29T00:00:00</Date>
<Reference>3e5a4e9e-3b46-4b09-a8f8-45010411501b</Reference>
</Invoice>
My First OpenRasta Project – Part 1
On the OpenRasta Wiki there are some instructions on getting your project up and running the manual way, should you so wish. One of the new features introduced at the last beta was a Visual Studio 2008 project template, which installs as part of the binary distribution.
Once installed you can create an OpenRasta project by going to the “Visual C#” Project Types and selecting OpenRasta ASP.NET Application (3.5) from the templates on the right of the dialog.
Once the project is created you’ll see that it has set the project up, added the references to the assemblies that it needs and created an initial handler, resource and views.
Before continuing further a little explanation of what each of these things are is in order.
A resource is a source of information. It is referenced via a URI. This blog post is a resource, an image is a resource, an invoice is a resource. However, a resource does not imply any particular kind of representation. In terms of OpenRasta a resource is simply an object
A handler is an object that manages the interaction of the resources. In MVC parlance it would be the “C” or controller.
A view is a regular ASP.NET page that can be rendered via the WebFormsCodec. It is not compulsory to implement any views at all if you don’t need ASP.NET.
A codec is the class responsible for encoding and decoding the representation of a resource. The built in codecs are WebForms, JSON and two types of XML.
First Code
When you get started you’ll need to configure OpenRasta. It needs to know the details of the resources you want to expose and the handlers that can deal with those resources. To do that OpenRasta looks for a class in your project that implements the IConfigurationSource interface.
If you have two or more classes that implement this interface then the first one that is found will be used. As the project template already contains a Configuration class already set up and ready to go there is nothing additional to do other than set the configuration.
In the example I’m going to show, we will be rendering an invoice. So the configuration needs to look like this:
public class Configuration : IConfigurationSource
{
public void Configure()
{
using (OpenRastaConfiguration.Manual)
{
ResourceSpace.Has.ResourcesOfType<Invoice>()
.AtUri("/invoice")
.HandledBy<InvoiceHandler>()
.AsXmlDataContract();
}
}
}
The configuration happens through a fluent interface. The ResourceSpace is the root object where you can define the resources in your application, what handles them and how they are represented. In this case this is going to be a fairly simple example. As it is a fluent interface it does seem to be fairly self explanatory.
The Invoice class is a simple POCO DTO that represents an invoice. POCO means Plain Old CLR Object and DTO is a Data Transfer Object. In this example the Invoice just looks like this:
public class Invoice
{
public string Reference { get; set; }
}
The InvoiceHandler class is another POCO that happens to have methods on it that are picked up by the use of conventions. If you have a method named after an HTTP verb (like GET or POST) then OpenRasta will use it to handle that verb.
In this example we are just going to return a simple Invoice object. I don’t want to complicate the example with other things at the present, so it will, in fact, always return an invoice with the same Reference property value.
public class InvoiceHandler
{
public Invoice Get()
{
return new Invoice
{
Reference = "123-456/ABC"
};
}
}
As the configuration specified that the XML Data Contract codec was to be used the invoice is rendered using that codec. The output looks like this:
<?xml version="1.0" encoding="utf-8"?> <Invoice xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/MyFirstOpenRastaProject.Resources"> <Reference>123-456/ABC </Invoice>
Obviously at this stage it isn’t very useful. This is just a quick demonstration showing how quickly something can be set up. In coming parts I’ll be addressing other issues that so that more useful things can be done.
NOTE: This blog post is based on OpenRasta 2.0 Beta 2 (2.0.2069.364): [Download]
Technorati Tags: OpenRasta
Being taxed for other people's music habit
In a blog post by Lily Allan, she quotes a message she got from Matt Bellamy from MUSE who said “Someone who just checks email uses minimal bandwidth, but someone who downloads 1 gig per day uses way more, but at the moment they pay the same. It is clear which user is hitting the creative industries and it is clear which user is not, so for this reason, usage should also be priced accordingly.”
He is basically suggesting that people pay a download tax to pay for the “creative industries” that are being hit by piracy.
In short, he wants me to pay for other people’s indiscretion in obtaining music, TV and movies via a mechanism that doesn’t compensate the artist that created these.
I am totally against this because I do not partake in such activity. My daily downloads do actually average about a gigabyte per day, but this is made up of things like using the BBC iPlayer, Spotify, downloads via my MSDN Subscription and so on. All of these result in large downloads. All of these provide me with legal content.
On top of that I buy many DVDs, CDs and buy a fair amount of music via the iTunes app on my iPhone. In fact, I often end up with a number of copies of the same thing, paying multiple times effectively, so I can have the music in a format that I want.
Am I hitting the creative industries? Good grief no! If anything they should be compensating me for having paid for their works multiple times over.
But, Matt Bellamy may be suggesting a get out clause so I don’t have to pay, yet again, for legal content: “ISPs should have to pay in the same way with a collection agency like PRS doing the monitoring and calculations based on encoded (but freely downloaded) data.”
If he is suggesting what I think he’s suggesting I really don’t think he’s thought it through all that well.
First there is the civil liberty issue of having the ISP monitor your communications. Sure, it would be relatively easy for them to examine the data that’s being passed through. In fact, to some extent they have to do that anyway because they have to examine the TCP/IP headers in order to route traffic. However, music and movie downloads are significantly larger. Roughly 7 to 9 orders of magnitude bigger.
Also, while a TCP/IP header is very well defined, digitally encoded creative works can be encoded in many different ways. MP3, MPEG, WMA, WMV, etc. How do you tell what it is you have? How would you create a system that would work out that a particular MP3 is a Lily Allen track? If you had the CD you could rip it in many different ways resulting in many different representations, some smaller lower quality, some larger higher quality. How do you correctly identify all that?
Personally, that idea it is a non-starter at current technological levels. Secondly, we’re heading towards a general election soon and most political parties that are vying for power at the moment are campaigning on a stance of improving civil liberties and reducing surveillance on the populace – They are unlikely to be legislating to allow ISPs to spy on network traffic like this for what is essentially a civil matter.
[Normal service will be resumed in the next post]
SQL Injection Attacks and Tips on How to Prevent Them
I’m giving a talk in Dundee on the topic of SQL Injection Attacks. If you are interested in the subject then the registration link is at the bottom of the page.
Wednesday, 28th October 2009 at 19:00 – 21:00
Queen Margaret Building, Dundee University
The Talk
In light of some recent events, such as the man who was convicted of stealing 130 million credit card details through a SQL Injection attack, it is imperative that developers understand what a SQL Injection Attack is, how they are carried out, and most importantly, how to defend your code against attack.
In this talk I’ll demonstrate a SQL Injection Attack on an application in a controlled environment*. I’ll show you where the vulnerable code lies and what you can do to harden it.
Although this talk uses C# as the application language and Microsoft SQL Server 2008 as the database engine many of the concepts and prevention mechanisms will apply to any application that accesses a database through SQL.
* Demonstrating an attack on a real system without the owner’s consent is a breach of the 1990 Misuse of Computers Act, hence the controlled environment.
The Venue
We are meeting in the Queen Mother Building at Dundee University. After the meeting we normally retire to the the bar at Laing’s
The Agenda
18:45 Doors Open
19:00 Welcome
19:10 The Talk (Part 1)
19:55 Break
20:05 The Talk (Part 2)
20:45 Feedback & Prizes
21:00 Repair to the Pub
Registration
Space is limited, we would therefore ask that you sign up.
If you really must do dynamic SQL…
I may have mentioned in previous posts and articles about SQL Injection Attacks that dynamic SQL (building SQL commands by concatenating strings together) is a source of failure in the security of a data driven application. It becomes easy to inject malicious text in there to cause the system to return incorrect responses. Generally the solution is to use parameterised queries
However, there are times where you may have no choice. For example, if you want to dynamically reference tables or columns. You can’t do that as the table name or column name cannot be replaced with a parameter. You then have to use dynamic SQL and inject these into a SQL command.
The problem
It is possible for SQL Server to do that concatenation for you. For example:
CREATE PROCEDURE GetData @Id INT, @TableName sysname, @ColumnName sysname AS BEGIN SET NOCOUNT ON; DECLARE @sql nvarchar(max) = 'SELECT ' + @ColumnName + ' FROM ' + @TableName + ' WHERE Id = '+cast(@Id as nvarchar(20)); EXEC(@sql) END GO
This is a simple stored procedure that gets some data dynamically. However, even although everything is neatly parameterised it is no protection. All that has happened is that the location for vulnerability (i.e. the location of the construction of the SQL) has moved from the application into the database. The application is now parameterising everything, which is good. But there is more to consider than just that.
Validating the input
The next line of defence should be verifying that the table and column names passed are actually valid. In SQL Server you can query the INFORMATION_SCHEMA views to determine whether the column and tables exist.
If, for example, there is a table called MainTable in the database you can check it with a query like this:
SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'MainTable'
And it will return:
There is a similar view for checking columns. For example:
As you can see, the INFORMATION_SCHEMA.COLUMNS view also contains sufficient detail on the table so that when we implement it we only have to make one check:
ALTER PROCEDURE GetData
@Id INT,
@TableName sysname,
@ColumnName sysname
AS
BEGIN
SET NOCOUNT ON;
IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
BEGIN
DECLARE @sql nvarchar(max) =
'SELECT ' + @ColumnName +
' FROM ' + @TableName +
' WHERE Id = '+cast(@Id as nvarchar(20));
EXEC(@sql)
END
END
GO
Formatting the input
The above is only part of the solution, it is perfectly possible for a table name to contain characters that mean it needs to be escaped. (e.g. a space character or the table may share a name with a SQL keyword). To escape a table or column name it is enclosed in square brackets, so a table name of My Table becomes [My Table] or a table called select becomes [select].
You can escape table and column names that wouldn’t ordinarily require escaping also. It makes no difference to them.
The code now becomes:
ALTER PROCEDURE GetData
@Id INT,
@TableName sysname,
@ColumnName sysname
AS
BEGIN
SET NOCOUNT ON;
IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
BEGIN
DECLARE @sql nvarchar(max) =
'SELECT [' + @ColumnName + '] ' +
'FROM [' + @TableName + '] ' +
'WHERE Id = '+cast(@Id as nvarchar(20));
EXEC(@sql)
END
END
GO
But that’s not quite the full story.
Really formatting the input
What if you have a table called Cra]zee Table? Okay – Why on earth would you have a table with such a stupid name? It happens, and it is a perfectly legitimate table name in SQL Server. People do weird stuff and you have to deal with it.
At the moment the current stored procedure will simply fall apart when presented with such input. The call to the stored procedure would look like this:
EXEC GetData 1, 'Cra]zee Table', 'MadStuff'
And it gets past the validation stage because it is a table in the system. The result is a message:
Msg 156, Level 15, State 1, Line 1 Incorrect syntax near the keyword 'Table'.
The SQL produced looks like this:
SELECT [MadStuff] FROM [Cra]zee Table] WHERE Id = 1
By this point is should be obvious why it failed. The SQL Parser interpreted the first closing square bracket as the terminator for the escaped section.
There are other special characters in SQL that require special consideration and you could write code to process them before adding it to the SQL string. In fact, I’ve seen many people do that. And more often than not they get it wrong.
The better way to deal with that sort of thing is to use a built in function in SQL Server called QUOTENAME. This will ensure the column or table name is properly escaped. The stored procedure we are now building now looks like this:
ALTER PROCEDURE GetData
@Id INT,
@TableName sysname,
@ColumnName sysname
AS
BEGIN
SET NOCOUNT ON;
IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
BEGIN
DECLARE @sql nvarchar(max) =
'SELECT ' + QUOTENAME(@ColumnName) +
' FROM ' + QUOTENAME(@TableName) +
' WHERE Id = '+cast(@Id as nvarchar(20));
EXEC(@sql)
END
END
GO
Things that can be parameterised
There is still something that can be done to this. The Id value is being injected in to the SQL string, yet it is something that can quite easily be parameterised.
The issue at the moment is that the SQL String is being executed by using the EXECUTE command. However, you cannot pass parameters into this sort of executed SQL. You need to use a stored procedure called sp_executesql. This allows parameters to be defined and passed into the dynamically created SQL.
The stored procedure now looks like this:
ALTER PROCEDURE GetData
@Id INT,
@TableName sysname,
@ColumnName sysname
AS
BEGIN
SET NOCOUNT ON;
IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = @TableName AND COLUMN_NAME = @ColumnName)
BEGIN
DECLARE @sql nvarchar(max) =
'SELECT ' + QUOTENAME(@ColumnName) +
' FROM ' + QUOTENAME(@TableName) +
' WHERE Id = @Identifier';
EXEC sp_executesql @sql, N'@Identifier int',
@Identifier = @Id
END
END
GO
This is not quite the end of the story. There are performance improvements that can be made when using sp_executesql. You can find out about these in the SQL Server books-online.
And finally…
If you must use dynamic SQL in stored procedures do take care to ensure that all the data is validated and cannot harm your database. This is an area in which I tread very carefully if I have no other choice.
Try and consider every conceivable input, especially inputs outside of the bounds of your application. Remember also, that defending your database is a multi-layered strategy. Even if you have the best firewalls and security procedures elsewhere in your system a determined hacker may find a way though your other defences and be communicating with the database in a way in which you didn’t anticipate. Assume that an attacker has got through your other defences, how do you provide the data services to your application(s) yet protect the database?
Technology trends through Google Analytics
I’ve been looking at various Google Analytics stats to see some recent technology trends. This started out as me being simply curious about what technologies people were using to access my blog. But then I got to thinking that it would be interesting to see how the statistics on my (Microsoft/Technology focused) blog fair with regard to other websites.
The most interesting thing I found is that my blog does not match other other, more mainstream, sites I looked at. I seem to have some early adopters that cause jumps in the trend. Other sites tend to have more stable trends.
For example, here’s the graph for my blog showing operating system usage:
In mid-2008 there is a jump of Windows Vista users. I tried to figure out why the number of Windows Vista users should jump like this and the only thing that I can actually think of is that this is about the time of “The Mojave Experiment”. Alternatively, perhaps it is something I did on my blog bringing more traffic to me from people running Windows Vista?
In July 2008 20% of visitors were using Windows Vista, the following month that number had jumped to 32%. Incidentally on August 3rd I wrote a blog post that has consistently be in my top-5 blog posts each month ever since. That post was about installing SQL Server 2005 on Vista. In fact, that single post currently represents 14% of the monthly traffic to my blog.
When looking at the browser usage in use the trend doesn’t have such a wild jump in it. Internet explorer is steadily being replaced by FireFox with most other browsers sitting down below 10%. There is, however, a rise in Chrome usage and I expect it to be past the 10% mark by the end of the year.
What is interesting is the jump when Chrome first came on the market, it jumped in at 3.5% and has been steadily rising since. It is up to 8.1% now so that it is now in 3rd place.
Operating Systems
Let’s compare that to some more mainstream sites. I’m just going to put the graphs up one after the other then comment on them.
First the operating system:
There are some very interesting variations between these graphs and my blog. None of these have a big jump in any particular operating system, so that suggests that Project Mojave, an earlier speculation to account for a jump in Vista users, didn’t have a big effect.
What is most interesting is that people looking at Lingerie websites have more Apple Macs (purple line) that people looking at other sites. Mac usage for the lingerie site runs from 10% to 15% over the course of the two years.
Windows XP usage is coming down, more markedly for the Lingerie site. I’d speculate that since businesses seem to be the ones holding on to Windows XP the longest (still installing it on newly purchased equipment, unlike the home market which will most likely stick to what is on the box already) those viewing the Lingerie website are more likely to do so from home. Certainly, if I was so inclined to visit, I’d do that at home.
On the early adopter front, most mainstream sites have not seen much of an increase in Windows 7 (turquoise line) usage yet. It isn’t released to the general public until 22nd of October. Early adopters will mostly be running the beta and release candidate. Those with MSDN Subscription will be able to run the full release already. It would seem that many developers (or at least those inclined to visit a software development oriented blog) are already adopting Windows 7 as almost 7% of visitors used that operating system. The mainstream sites are sitting around 0.5% currently.
Browsers
It looks like developers buck the trend again. 30%-40% use FireFox to access my blog whereas more mainstream sites get 10%-20% of visitors using FireFox. Also, the lingerie site is also slightly bucking the trend by having around 25% of visitors using FireFox.
Universally, IE is losing market share. It just seems to be quicker for software developers to be abandoning it, even on this Microsoft oriented software development blog.
It would seem that FireFox is the browser in line to take the crown, at least in software development circles as it does seem to have a fair way to go elsewhere. However, Chrome has got off to a good start, gaining initial popularity even on more mainstream sites. FireFox may have some real competition. Safari is not doing so badly either, but that trend does seem to follow the Mac OS trend, so perhaps that’s just getting the kudos through being installed as the default browser on Macs.
Technorati Tags: google analytics,windows 7,windows vista,vista,windows xp,xp,IE,FireFox,Chrome,Safari
Tip of the Day #16: NaN (Not a Number)
The Issue
If you want to detect if a double (System.Double) or float (System.Single) is ?not a number? or NaN you cannot use something like this:
if (myDouble == double.NaN)
{
/* do something */
}
It will always be false.
Sounds crazy? Try this:
double myDouble = double.NaN;
Console.WriteLine("myDouble == double.NaN : {0}", myDouble == double.NaN);
The result is:
myDouble == double.NaN : False
You can see that myDouble was explicitly set the value of double.NaN, yet in the next line it is returning false.
The Solution
If you want to test for a floating point value being Not a Number you to use IsNan() which is a static method on System.Double and System.Single. Here is the first example re-written to use the static method. It will now work correctly:
if (double.IsNan(myDouble) { /* do something */ }
If we re-write our other example:
double myDouble = double.NaN;
Console.WriteLine("double.IsNaN(myDouble) : {0}", double.IsNaN(myDouble));
We get the expected result too:
double.IsNaN(myDouble) : True
The Reason
According to Wikipedia: In computing, NaN, which stands for Not a Number, is a value or symbol that is usually produced as the result of an operation on invalid input operands, especially in floating-point calculations. For example, most floating-point units are unable to explicitly calculate the square root of negative numbers, and will instead indicate that the operation was invalid and return a NaN result. NaNs may also be used to represent missing values in computations.
It goes on to say: A NaN does not compare equal to any floating-point number or NaN, even if the latter has an identical representation. One can therefore test whether a variable has a NaN value by comparing it to itself, thus if x = x gives false then x is a NaN code.
This is why (double.NaN == double.NaN) always results in false. And it is also how the .NET framework detects the NaN value in the IsNan() method.
public static bool IsNaN(double d)
{
return (d != d);
}
Technorati Tags: NaN,Not a Number,C#,.NET,floating point numbers,float,double,System.Single,System.Double
The Blog of Colin Mackay 