QBurst

Web applications often accept input data from users and pass it to database systems.   Problems happen when such data contain characters that have special meaning to the database.  For example, the single quote (‘) is used by most database systems to terminate a string.  Different databases have different such meta-characters.  Hackers skilfully exploit the use of meta-characters to run SQL commands in the database.

Consider this code fragment that accepts an employee id from a web form and fetches employee details from the Employee table:

$empId  =  _GET["employee_id"];
$query   =  ”SELECT * FROM Employee WHERE emp_id = ”  .  $empld

If a user fills in the employee_id field with

1 ; UPDATE Employee SET salary = 5000

that would result in the following queries to execute:

SELECT * FROM Employee WHERE emp_id = 1 ; UPDATE Employee SET salary = 5000

Many database systems like Postgre allow multiple queries to execute in a single command.  It’s anybody’s guess as to what would happen if the above queries execute.  The hacker is exploiting the semi-colon (;) meta-character, which is used as a statement separator in many database systems.

The above is only one example; there are in fact hundreds of ways in which other meta-characters can be exploited to execute a variety of harmful commands.

So how do you protect your application against SQL injection?  Some steps are outlined below.

1. Escape the special characters before you pass it on to the database.  You need to figure out all the meta-characters used by your database and escape them, so they are interpreted as regular data and not as control characters.
2. Avoid dynamic SQL generation in your code.  Use prepared statements instead.  When prepared statements are used, the database will not confuse data for control characters.
3. Stored Procedures offer some degree of protection, but are not injection-proof either.  They are vulnerable if additional parsing is performed on input parameters.
4. The application should have only minimal rights to perform operations in the database.  It need not have DROP access if your application doesn’t have to drop a table.
5. Validate your input.  Do this on the server-side as client-side validation cannot be trusted.  Write per-field validations using regular expressions that allow only whitelisted characters.  Limiting the allowable range of characters and length of each field will reduce the chance of injection.
6. I have mentioned escaping data before passing it on to the database.  However, many developers perform input escaping.  This kind of blanket escaping is generally effective.  However, it could create problems if you need to pass data to other subsystems (example: sending an email), which may have different escaping needs.  The ideal solution is to perform output escaping before passing data to another subsystem.
7. Catch database exceptions and show a custom error page to the user.  Show minimal information about the error to the user.  Database exceptions carry more information than what the user needs to see – it may contain table and column names.  So catch these exceptions in your application and redirect the user to an error page that does not give out much information.

This article gave some tips on how to avoid falling prey to SQL injection attacks. Only the application developer can prevent this type of attack.  It cannot be avoided by installing firewalls or SSL certificates.  Developers need to think about how to prevent injection attacks when they write code and not as an after thought.

The wait is over. Microsoft is all set to launch its new Operating System Windows 7. Although the product was released to manufacturing on July 22^nd, 2009, it will be available for the public only today (Oct 22^nd, 2009). The Operating System comes in 6 packages. Each of these packages is meant for different types of customers. The packages are Starter, Home Premium, Professional, Ultimate, OEM and Enterprise.

A look back

Windows XP has survived more than Microsoft would have imagined. Since its first appearance in October, 2001, the Operating System is still one of the best in the market. Microsoft says over 400 million copies were in use. Although Microsoft stopped the delivery of XP from Jan 31^st, 2009, downgrade option is still available. To be in market for 8 years and still find place to stick around, is an achievement to talk about.

Known by its codename ‘Longhorn’, Vista came into the picture with great expectations in 2007. But the Longhorn did not serve to be a horn for Microsoft. Vista neither compromised on low hardware configurations nor delivered the expected performance. Complaints and weird feedback filled the air. And not surprisingly, most of the customers either continued with XP or looked for alternative Operating Systems.

A positive look forward

With the bar set high for the next Operating System, the Microsoft team started working few years back and has now come up with a product which has generated non-skeptical positive response even from the world’s best analysts. Let’s take a look at a few features that has paved the way for this.

System Requirements – Normal

The Operating System is designed to support 32 bit and 64 bit processors. The minimum system requirements  for the best performance of the product are not highly demanding. Glance at the following table for the exact details.

Lightweight

It takes not more than 30 minutes for a normal install. However, this certainly depends on the hardware of the system and the type of install used (Upgrade or Fresh). The development team has worked in optimizing the underlying code and also removed software like Movie Maker, Mail etc. These are now available in the Microsoft site as free download. The adoption to this new trend has reduced the size of the Operating System and has made it lightweight. Windows 7 can be installed in netbooks and nettops also.

Better Battery Life

One of the concerns for a laptop user is the backup time his laptop offers. If the Operating System enables him to increase this backup time, it is definitely something to cheer about. Windows 7 saves 30% of the backup time if the previous Operating System used was Windows XP. This was announced publicly by Rob Bernard, Microsoft’s Chief Environmental Strategist.

Third Party Software Evaded

Windows 7 emdeds into it, functionalities that require third party software support. Notable ones are:

• ISO image burner
• Fingerprint sensor management

An ISO image file has so far been an unrecognized format in Windows without a third party software support. In Windows 7, you can double click an ISO file and burn it right away. Windows Biometric Framework is a new addition that avoids the necessity for third party software to manage all biometric management activities. Fingerprint sensor is one example. Windows 7 manages this on its own.

New Taskbar

The new taskbar is arguably one of the best features of Windows 7. It works even better than the Mac OS X dock. It looks like a modified Vista. But behind the screens, there is a complete change of code. Mouse over has been dealt with in an innovative way that is sure to attract the public. Pinning to start menu has also become much easier now. Jump list, a new feature, manages recently opened documents. The show desktop icon is brought into the taskbar. And it works with just a mouse over.

PowerShell

PowerShell is a command-line tool that administers various tasks using cmdlets. Cmd and command were available earlier. With the new command-line tool, it is possible to bring out all GUI functionalities. This tool could become very handy for administrators. Although PowerShell could be downloaded for XP and Vista, it was not a very big hit. Microsoft has decided to bring it as a built-in feature for Windows 7.

There are a number of other features that are sure to influence the public. The control panel has been modified and made more users-friendly. The Operating System integrates backup utility with the control panel. Problem Steps Recorder is a new tool that captures user actions and helps debuggers. System repair disc can now be created during administrator works. The features and innovative developments in Windows 7 makes it more than just a Vista debacle fixer or an ideal XP successor. I can’t wait to get my hands on it!

QBurst Cup 2009, the internal cricket tournament of QBurst technologies will kick-start from 17th October, 8:00AM at the Technopark cricket ground. Invincibles, Knight Riders, Super Sixteen and Phoenix are the four teams participating in this tournament. The tournament is organized in round-robin format with the top two teams finishing in the round play for the title.

The tournament is hosted in the new Cricket tournament hosting platform of Crickees.

Log onto qburst.crickees.com to

- Get to know the teams and players.

- See the tournament fixtures.

- View the latest news and match results.

- Catch live updates of the matches.

- Know who’s the leading run scorer/wicket taker and lots more statistics

- See the standings for each team

- Catch the players in action in the impressive photo gallery

Watch out for more updates coming soon.

Crickees has been instrumental in hosting last year’s Technopark Cricket Tournament and this year, the tournament will be hosted in the new platform of Crickees.

In my previous article, we discussed all the video formats that are predominantly used in web. Here, we are going to see how these different formats are effectively delivered in the web. There are three methods that genuine developers have used so far to bring video into web. Let’s list them chronologically and get to know them in simple terms.

• Downloading

This traditional method is the one in which the user will have to wait for the file to download in his local machine and then play the file in a player. The user will not be able to view the video unless the file is downloaded completely. He must also choose the right player to play the file. Right player, in the sense: the one which understands the codec used by the video file.

Accomplishing this method in a webpage is pretty simple for a developer. He has to upload the file in the web server and provide a link to the file in the webpage. An alternate method is to embed the file in the webpage with a player using a HTML code. When the user clicks the link, the download begins. This method is commonly referred to as HTTP Streaming. This method is still used by a number of sites. And yes the point is it does not cause any trouble if the site traffic is low. One notable inability of this traditional method is that no live streaming can be done since there can never be a complete file during live transmission.

• Streaming

In the case of a streamed video, the file is sent to the end user in a continuous stream which allows him to watch the video as and when it reaches the local system. Streaming has gained so much popularity with live telecasts. When you browse through the web you will find podcasts and webcasts delivering video. Both of these use streaming method to deliver video. A webcast is mostly a single file that is played live or on demand whereas a podcast comes as a series and is delivered on demand. Another widely used streamed application in countries like US and UK is the internet television. Let’s break down streaming and get into the next level.

o   Progressive streaming

o   True streaming

Progressive streaming is used for on demand videos. If the video is delivered progressively, then the video file gets saved in the local system and plays from the local. Once the video is done playing, it will still be available for replay. This is not the case with true streaming which plays the file without saving it in the local. So once the player has completed playing once, it will not be further available for replay. A perfect example would be a live match that is telecasted through the internet.

Streaming is complex which could be understood only when tried. Protocol selection is one which could add to the complexity. Unicast protocols may be a feasible one for modest websites but more number of concurrent users could upset the system unless there is sufficient storage provided. Multicast protocols compel to forgo on demand function which might not be possible for all. UDP (datagram) may not be efficient as the others.

The data (video files) may be stored in-house or outsourced. Most of the companies outsource the complete process in order to avoid complexities. A few major products available to service video on web are FMS (Flash Media Server), Wowza, QTSS (Quick Time Streaming Server). This is another area which I will cover in my next article. Now we’ll move on to the next method.

• Progressive Downloading

The method of progressive download is similar to Streaming. However, this method uses a HTTP protocol. Also there is difference in how data is interpreted at the user’s end. YouTube.com uses progressive download for its video service. Gaining access to the video is also simple as the file is mostly saved in the temp folder. The file could be stolen by anyone and this has given rise to piracy and security problems. In the streaming method, a similar situation will not arise because at no time will the entire file be downloaded locally.

I hope to have put these video concepts in simple terms. Do contact me if you like to know more about video on web.

Here’s glad news for web developers from Mozilla Labs. There is now a quick and easy way to test your JavaScript code on multiple browsers. TestSwarm, the new Mozilla Labs project aims to ease developers’ pain by providing distributed continuous integration testing for JavaScript.

However, at this moment, TestSwarm is still in alpha testing.

NOTE: “During this alpha period data may be lost or corrupted and clients may be unexpectedly disconnected.”

The TestSwarm project was initially started by John Resig as a tool to support the jQuery project and it later moved to become an official Mozilla Labs project. According to John, one of the main reasons on why he pursued this project is because the present day’s cross browser Javascript testing methods do not scale. TestSwarm is expected to greatly simplify the complicated and time-consuming process of running JavaScript test suites in multiple browsers.

TestSwarm currently supports 7 operating systems (Windows, Mac OS X and Linux) and runs its tests on all the major browsers from Mozilla to Konqueror. TestSwarm provides a great visual interface to display the test results. Detailed data about what exactly went wrong is provided which helps to rectify the problem too. This makes a developer’s job easier to keep JavaScript libraries compatible with most web browsers.

Currently, TestSwarm is provided as a service to test few popular JavaScript libraries including jQuery, YUI, Dojo, MooTools, and Prototype. You can also download the source code and install TestSwarm on your own servers if you want to use it for your own project.

To know more, watch this screencast on how TestSwarm works. Additional information is available on John’s blog and the TestSwarm site.