-
-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
few cleanup items, added least privilege
- Loading branch information
Showing
11 changed files
with
76 additions
and
129 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
62 changes: 31 additions & 31 deletions
62
...c/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content10.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,35 +1,35 @@ | ||
== Parameterized Queries – Java Example | ||
------------------------------------------------------- | ||
// Parser returns only valid string data | ||
String accountID = getParser().getStringParameter(ACCT_ID, ""); | ||
String data = null; | ||
try | ||
// Parser returns only valid string data | ||
String accountID = getParser().getStringParameter(ACCT_ID, ""); | ||
String data = null; | ||
try | ||
{ | ||
// Read only database connection | ||
Statement connection = DatabaseUtilities.getConnection(READ_ONLY); | ||
// Build a fully qualified query | ||
String query = "SELECT first_name, last_name, acct_id, balance | ||
FROM user_data WHERE acct_id = ?"; | ||
PreparedStatement statement = connection.prepareStatement(query); | ||
statement.setString(1, accountID); | ||
ResultSet results = statement.executeQuery(); | ||
if ((results != null) && (results.first() == true)) | ||
{ | ||
// Read only database connection | ||
Statement connection = DatabaseUtilities.getConnection(READ_ONLY); | ||
// Build a fully qualified query | ||
String query = "SELECT first_name, last_name, acct_id, balance | ||
FROM user_data WHERE acct_id = ?"; | ||
PreparedStatement statement = connection.prepareStatement(query); | ||
statement.setString(1, accountID); | ||
ResultSet results = statement.executeQuery(); | ||
if ((results != null) && (results.first() == true)) | ||
{ | ||
// Only one record should be returned for this query | ||
Results.last(); | ||
if (results.getRow() <= 2) | ||
{ | ||
data = processAccount(results); | ||
} | ||
else { // Handle the error – Database integrity issue } | ||
} | ||
else { // Handle the error – no records found } | ||
} | ||
catch (SQLException sqle) { // Log and handle the SQL Exception } | ||
catch (Exception e) { // Log and handle the Exception } | ||
finally { // Always close connection in finally block | ||
DatabaseUtilities.closeConnection(); | ||
} | ||
return data; | ||
// Only one record should be returned for this query | ||
Results.last(); | ||
if (results.getRow() <= 2) | ||
{ | ||
data = processAccount(results); | ||
} | ||
else { // Handle the error – Database integrity issue } | ||
} | ||
else { // Handle the error – no records found } | ||
} | ||
catch (SQLException sqle) { // Log and handle the SQL Exception } | ||
catch (Exception e) { // Log and handle the Exception } | ||
finally { // Always close connection in finally block | ||
DatabaseUtilities.closeConnection(); | ||
} | ||
return data; | ||
------------------------------------------------------- |
34 changes: 13 additions & 21 deletions
34
...c/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content13.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,14 @@ | ||
== Parameterized Queries – .NET | ||
------------------------------------------------------- | ||
public static bool isUsernameValid(string username) { | ||
RegEx r = new Regex(“^[A-Za-z0-9]{16}$”); | ||
Return r.isMatch(username); | ||
} | ||
== Least Privilege | ||
|
||
// SqlConnection conn is set and opened elsewhere for brevity. | ||
try { | ||
string selectString = “SELECT * FROM user_table WHERE username = @userID”; | ||
SqlCommand cmd = new SqlCommand( selectString, conn ); | ||
if ( isUsernameValid( uid ) ) { | ||
cmd.Parameters.Add( "@userID", SqlDbType.VarChar, 16 ).Value = uid; | ||
SqlDataReader myReader = cmd.ExecuteReader(); | ||
if ( myReader ) { | ||
// make the user record active in some way. | ||
myReader.Close(); | ||
} | ||
} else { // handle invalid input } | ||
} | ||
catch (Exception e) { // Handle all exceptions… } | ||
------------------------------------------------------- | ||
=== Connect with a minimum set of privileges | ||
* The application should connect to the database with different credentials for every trust distinction | ||
* Applications rarely need delete rights to a table or database | ||
|
||
=== Database accounts should limit schema access | ||
|
||
=== Define database accounts for read and read/write access | ||
|
||
=== Multiple connection pools based on access | ||
* Use read only access for the authentication query | ||
* Use read/write access for the data modification queries | ||
* Use execute for access to stored procedure calls |
2 changes: 1 addition & 1 deletion
2
...rc/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content2.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 14 additions & 13 deletions
27
...rc/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content9.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,25 @@ | ||
== Parameterized Queries – Java Snippet | ||
|
||
------------------------------------------------------- | ||
[source,java] | ||
---- | ||
public static bool isUsernameValid(string username) { | ||
RegEx r = new Regex(“^[A-Za-z0-9]{16}$”); | ||
return r.isMatch(username); | ||
RegEx r = new Regex(“^[A-Za-z0-9]{16}$”); | ||
return r.isMatch(username); | ||
} | ||
// java.sql.Connection conn is set elsewhere for brevity. | ||
PreparedStatement ps = null; | ||
RecordSet rs = null; | ||
try { | ||
pUserName = request.getParameter(“UserName”); | ||
if ( isUsernameValid (pUsername); | ||
ps = conn.prepareStatement(“SELECT * FROM user_table | ||
pUserName = request.getParameter(“UserName”); | ||
if ( isUsernameValid (pUsername); | ||
ps = conn.prepareStatement(“SELECT * FROM user_table | ||
WHERE username = ? ”); | ||
ps.setString(1, pUsername); | ||
rs = ps.execute(); | ||
if ( rs.next() ) { | ||
// do the work of making the user record active in some way | ||
} else { // handle invalid input } | ||
ps.setString(1, pUsername); | ||
rs = ps.execute(); | ||
if ( rs.next() ) { | ||
// do the work of making the user record active in some way | ||
} | ||
} else { // handle invalid input } | ||
} | ||
catch (…) { // handle all exceptions … } | ||
------------------------------------------------------- | ||
---- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters