So lets start out with the basics, what is it? It all has to do with the URL bar and get variables. Let’s say that my site is “http://www.mysite.com/” and I created a script that grabs info out of my database based on it’s ID in the database. For example: “http://www.mysite.com/index.php?pageid=10″. My SQL statement will look like this: “SELECT * FROM pages WHERE ID=$_GET[id]“. Just like a regular SQL Injection, a hacker can submit malicious code using the get variable.

This is where we differ a little from a basic SQL Injection. In a basic SQL Injection, you simply type ' or 'x'='x into a form and it may or may not authenticate you. Your goal is to get it to toss an error, so that you know your code is not being parsed correctly.

Because we are retrieving info about a page with my example website script, not users, it makes it difficult to authenticate yourself with one line of code like a basic SQL Injection. There is one thing we can do, and that is to make the SELECT statement true or false. If my site is vulnerable, all we would need to type in the browser is: “http://www.mysite.com/index.php?pageid=10 and 1=1″. If it isn’t parsed correctly, my vulnerable code will now look like this: SELECT * FROM pages WHERE ID=10 and 1=1. That is a true statement so our page will display normally. Now we try a false statement: “http://www.mysite.com/index.php?pageid=10 and 1=2″ and our SQL query reads as: SELECT * FROM pages WHERE ID=10 and 1=2. This statement is false, so it will not grab ANY info from pages. With no info being grabbed from the database, our page will look significantly different. Maybe some pictures won’t be there, or text will be missing, or maybe the entire page will be blank. If that is the case, then you are in business.

So why is it called BLIND Sql Injection? Well rather than executing queries directly, like a regular SQL injection, and getting your info directly, you are now blind instead. You are using true/false statements to guess what the table names are, or manually hash them out using ascii codes and substrings. It can take hours to get access to a vulnerable site, but there are programs and scripts out there that will do all the work for you so you don’t even have to think about it.

If you want to know a little bit more about how this works, lets try it out on a vulnerable example: http://www.cblpi.org

Lets say I went to Ann Coulter’s bio page: http://www.cblpi.org/programs/bio.cfm?ID=15&type=Speaker

We notice that ID=15 and may be vulnerable. So we test it by typing: http://www.cblpi.org/programs/bio.cfm?ID=15 and 1=1&type=Speaker

Nothing changes! Let’s test it again by typing 1=2: http://www.cblpi.org/programs/bio.cfm?ID=15 and 1=2&type=Speaker

Now a blank page appears, so we know that the ID variable isn’t being parsed correctly.

Lets figure out what version of MySQL it is using BSI using @@version: http://www.cblpi.org/programs/bio.cfm?ID=15 and substring(@@version,1,1)=5&type=Speaker

If its version 5.xxxx it will show up as true! Does it? No. Then lets try 4: http://www.cblpi.org/programs/bio.cfm?ID=15 and substring(@@version,1,1)=4&type=Speaker

And know we know they are using version 4.xxxx of MySQL.

Lets try guessing a table name! http://www.cblpi.org/programs/bio.cfm?ID=15 and (select 1 from USERS limit 0,1)=1&type=Speaker

If table USERS exists, it will return 1 and the statement will be TRUE! Does it? No it doesn’t, but it does give us a nice error page saying it doesn’t exist, with the table name that we are currently selecting out of (PEOPLE).

So lets validate the code real quick. We know PEOPLE does exist, so http://www.cblpi.org/programs/bio.cfm?ID=15 and (select 1 from PEOPLE limit 0,1)=1&type=Speaker should be true.

And it is! The page displays normally.

You can bruteforce guess the table names, or there are many round about ways of detecting them letter by letter using substring and ascii functions. And once you figure out where the good information is stored, then you can break into those tables and grab it.

I’m not here to give you the exact methods on how to bruteforce it or use char codes, but just to give you the basics on what it is. Know that you know what it is, protect against it! How hard is it to check for a space? Add slashes? Check if it is an int? Guys common, these practices are standard when dealing with forms, why not make them standard when dealing with get variables. Recently (about 4-6 months ago) HyperVM was found to have a BSI vulnerability and within a couple of days, thousands and thousands of VPS servers were hacked and accounts deleted. It all could have been prevented with just one line of code.

In order to create an image for a thumbnail, we need to take a screen shot of webpage. PHP GD class allows us to take screen shots of different windows. PHP also allows us to control different windows, like Internet Explorer using the COM class. So basically what we need to do is have PHP open up a window in Internet Explorer, navigate to a website, and then take a picture of that window, then save it/display it. The tutorial shown on php.net shows exactly how to do this:

<?php
$browser = new COM("InternetExplorer.Application");
$handle = $browser->HWND;
$browser->Visible = true;
$browser->Navigate("http://www.libgd.org");
 
/* Still working? */
while ($browser->Busy) {
    com_message_pump(4000);
}
$im = imagegrabwindow($handle, 0);
$browser->Quit();
imagepng($im, "iesnap.png");
imagedestroy($im);
?>

So this is SUPPOSED to load libgd.org and take a snap shot and save it to “iesnap.png”, and it DOES work, but only if your server allows it to work. If it doesn’t you just get a black/blank picture.

Windows rarely lets one program access another program via the desktop and control it. By default, Apache isn’t allowed to open Internet Explorer on windows, so we have to add an exception.

1. On Vista, click the start button, and in the search box type “Services”.
2. At the very top, there should be a link under Programs called Services. Click that link.
3. It will open up all running services, and you will see Apache running (mine is Apache 2.2, and is the first entry).
4. Right click on it and select “Properties”
5. Navigate to the “Log On” tab
6. Click the box for “Allow service to interact with the desktop”
7. Save it and close the properties
8. Right click on Apache again
9. This time, click restart, and Apache will be restarted with the new features

Now run your script again! Vista pops up a little box alerting the user that a program is interact with the desktop. Just ignore it and it will disappear in a few seconds. After the program is complete, go to your web folder and you will see iesnap.png is now an image of a webpage!

Time to make some tweaks! You will notice that it grabs the ENTIRE screen, meaning the tool bars and everything. We will need to make a few adjustments to get rid of those. The first one I made was to make the browser show as a full screen:

$browser = new COM("InternetExplorer.Application");
$handle = $browser->HWND;
$browser->Visible = true;
$browser->FullScreen=true;

That last line will make it display in the fullscreen mode, which takes care of the tool bars at the top, but I still see the footer and the side bar that I want to get rid of. In order to do this, we need to crop a little, but GD doesn’t have a simple cropping method. What I did was copied part of this picture to a new picture and resized it. Keep in mind, my display settings are going to be different, and will require you to look at your picture and test it out:

<?php
$url = $_GET['url'];
$w = $_GET['w'];
$h = $_GET['h'];
if(empty($w))
    $w=300;
if(empty($h))
    $h=300;
if(empty($url))
    $url="www.notan00b.com";
if($w>1263)
    $w=1263;
if($h>780)
    $h=1263;
$browser = new COM("InternetExplorer.Application");
$handle = $browser->HWND;
$browser->Visible = true;
$browser->FullScreen=true;
$browser->Navigate("http://".$url);
 
 
/* Still working?*/
while ($browser->Busy) {
    com_message_pump(4000);
}
$im = imagegrabwindow($handle, 0);
$browser->Quit();
imagepng($im, "iesnap.png");
$dest = imagecreatetruecolor($w,$h);
 
// Copy
imagecopyresized($dest, $im, 0, 0, 0, 0, $w, $h,1263,780);
 
// Output and free from memory
header('Content-Type: image/gif');
imagegif($dest);
 
imagedestroy($dest);
imagedestroy($im);
?>

There we have it. Even with the GET variables so you can reuse this script for AJAX or any HTML document. My images were 1280×800. To remove the bars I scaled it down to 1263×780, and they were removed almost perfectly, but it will be different for everyone.

I would post an example of it, but I am only hosted… I don’t actually pay for a VPS or private server just for one little blog. Sorry folks. If it was up to me, and I needed this service, I would probably pay a company to do it for me for a simple little website. If you have a VPS with enough memory, this may work for you. Good luck, let me know if you have any questions.

This is the goal!

The first way that I thought of was to create a form for every piece of info I pulled from the database. So lets say for ID=1, there would be 1 form with all the info preloaded into it. ID=2 would be a separate form with all different info. This works, but I had to have about 20 dialog boxes per page, and it would cause the HTML output to be about 20 times larger than I needed.

In my head, I knew there had to be a way to do this with DHTML and jQuery, and I finally figured it out. All I had to do was create a value and store it in the button that I was already using (well it was actually just a link). So I turned <a href="#" class="editThis">Edit!</a> into <a href="#" class="editThis" id="1">Edit!</a>. I used PHP to echo out the data already but now each link will have a different ID:

echo "<a href=\"#\" class\"editThis\" id=\"$row[UserId]\">Edit!</a>";

So now we have 20 links, each looking the same, but each with a unique ID. This is where jQuery comes in handy. We can look up the anchor by class, and then store the ID as a variable for later use!

$(".editThis").click(function{
   var id=$(this).attr('id');
});

So now we have the ID of the info we want to manipulate. The next part was a little more difficult to figure out. I want only 1 dialog box and 1 form, but want the info auto filled. At first I was thinking we needed to do a lot of AJAX to pull out each and every variable that we want to edit, but then I figured out we could pass that info into HTML as a “HIDDEN” variable. HTML is great because you can hide all sorts of stuff and the user will never see it. I can set the style as “hidden”, or I can include it inside a tag somewhere, or better yet, and my favorite, I can create a hidden variable: <input type="hidden" id="editinfo1" value="myinfohere"> Now we need to implement this into our PHP to write it to the HTML:

echo "<a href=\"#\" class\"editThis\" id=\"$row[UserId]\">Edit!</a>";
echo "<input type=\"hidden\"";
echo " name=\"editinfo{$row['UserId']}\""; 
echo " id=\"editinfo{$row['UserId']}\""; 
echo " value=\"$row[Name]::$row[Address]::$row[Age]\">";

So now our HTML will look like this:

<a href="#" class="editThis" id="1">
<input type="hidden" name="editinfo1" id="editinfo1" value="Bob Jones::123 N Street::26">

All our info is now conveniently stored for jQuery to access later!

$(".editThis").click(function{
   var id=$(this).attr('id');
   var variables=$("#editinfo"+id).val();
   var info=variables.split('::');
   alert(info[0]+"\n"+info[1]+"\n"+info[2]);
});

Now for the fun part, using jQuery to dynamically change the values of our SINGLE form!
Our form might look like this:

<div id="dialog" title="Edit User">
    <form method="post" name="edituserform" action=editUser.php">
    <input type="hidden" name="action" value="edituser">
    <input type="hidden" name="userid" id="euid" value="0">
    <center>
        <table width="75%">
            <tr>
                <td align="right">User Name: </td>
                <td align="left"><input type="text" name="username" id="eusername"></td>
            </tr>
            <tr>
                <td align="right">Address: </td>
                <td align="left"><input type="text" name="address" id="eaddress"></td>
            </tr>
            <tr>
                <td align="right">Age: </td>
                <td align="left"><input type="text" name="age" id="eage"></td>
            </tr>
        </table>
    </center>
    </form>
</div>

And our jQuery would look like this:

$(".editThis").click(function{
   var id=$(this).attr('id');
   var variables=$("#editinfo"+id).val();
   var info=variables.split('::');
   $("#eusername").val(info[0]);
   $("#eaddress").val(info[1]);
   $("#eage").val(info[2]);
   $("euid").val(id);
   $("#dialog").dialog("open");
});
$('#dialog').dialog({
        autoOpen: false,
        width: 600,
        modal: true,
        position: 'top',
        buttons: {
            "Update user": function() {
                document.edituserform.submit();
            }, 
            "Cancel": function() { 
                $(this).dialog("close"); 
            } 
        }
    });

That’s it! Hopefully it was easy to understand. Let me know if you need anything cleared up a little! Thanks!

• First name
• Last Name
• Social Security Number
• Address
• City
• State
• Zip
• Date of birth
• Salary
• Position
• Start Date

That’s probably sufficient for our purposes, and then some. So the next question we need to ask is, what are we planning on doing with this info? I would assume a lot of it would be interacting with a database. This would probably involve a lot of CRUD operations (Create, Read, Update, Delete). So we need to make functions for each. One to create a new employee in the database, one to get employee info, one to update employee info if it is changed, one to delete employees once they have been fired or never completed training or whatever. The one other thing I can think of is maybe assigning an employee an ID so he can easily be tracked in the system, in case there are two Mr. John Smith employees. Speaking of searching, maybe a search function would be nice as well. So lets set out to create our class:

<?php
class Employee
{
    var $Id=null;
    var $FirstName;
    var $LastName;
    var $DOB;
    var $Position;
    var $Salary;
    var $StartDate=date('m/d/Y');
    var $EndDate=null;
    function _construct($id=null)
    {
        if($id!=null)
            $this->LoadEmployee($id);
    }
    function LoadEmployee($id)
    {
        /*** Connect to database  ***/
        /*** Code Not Included ***/
        $query="SELECT FROM Employees WHERE Id='$id'";
        $result=mysql_query($query);
        //makes sure the user exists
        if(mysql_num_rows($result)==1)
        {
            //Sets class variables
            $row=mysql_fetch_array($query);
            $this->Id=$id;
            $this->FirstName=$row['FirstName'];
            $this->LastName=$row['LastName'];
            $this->DOB=$row['DOB'];
            $this->Position=$row['Position'];
            $this->Salary=$row['Salary'];
            $this->StartDate=$row['StartDate'];
            $this->EndDate=$row['EndDate']
        }else{
            return false;
        }
    }
    function CreateEmployee()
    {
        if(!$this->CheckVariables())
            return false;
        /*** Connect to database  ***/
        /*** Code Not Included ***/
        $query="INSERT INTO Employees (FirstName,LastName,DOB,Position,Salary,StartDate) VALUES ('".$this->FirstName."','".$this->LastName."','".$this->DOB."','".$this->Salary."','".$this->StartDate."')";
        mysql_query($query);
        //Inserted, and now lets return his ID number
        $query2="SELECT Id FROM Employees WHERE FirstName='".$this->FirstName."' AND LastName='".$this->LastName."' AND DOB='".$this->DOB."' AND StartDate='".$this->StartDate."'";
        $row=mysql_fetch_array(mysql_query($query2));
        return $row['Id'];
    }      
    function CheckVariables()
    {
        //makes sure we don't have any empty variables in the areas that matter
        if(empty($this->FirstName)||empty($this->LastName)||empty($this->DOB)||empty($this->Position)||empty($this->Salary))
            return false;
        else
            return true;
    }
    function UpdateEmployee($field, $value, $id=$this->Id)
    {
        //makes sure an ID is chosen or specified.
        if($id==null)
            return false;
        /*** Connect to database  ***/
        /*** Code Not Included ***/
        $query="UPDATE Employees SET $field='$value' WHERE Id='$id'";
        mysql_query($query);
    }
    function ToArray()
    {
        $array['Id']=$this->Id;
        $array['FirstName']=$this->FirstName;
        $array['LastName']=$this->LastName;
        $array['Position']=$this->Position;
        $array['Salary']=$this->Salary;
        $array['DOB']=$this->DOB;
        $array['StartDate']=$this->StartDate;
        $array['EndDate']=$this->EndDate;
        return $array;        
    }
}
?>

Here is the finished class minus a few things that you can add if you want. What my class does is creates employees, updates specific fields, checks information, turns the info into an array, etc. I didn’t include all the variables we listed because I am lazy, as well as the delete function. There are always improvements that can be made, but this is a good starting block for any programmer. So lets see how we use it:

<?php
require("classEmployee.php");
//create a new employee
$emp=new Employee();
$emp->FirstName="Bob";
$emp->LastName="Smith";
$emp->DOB="01/01/99";
$emp->Position="Data Entry";
$emp->Salary="$10/hr";
$empid=$emp->CreateEmployee();
//And now he was created and entered into the system.
echo $empid; //His ID;
//lets check to make sure he is still in the system.
$emp2 = new Employee($empid);
$empArray = $emp2->ToArray();
print_r($empArray);
//ok, all looks good.  Lets update his name.
$emp2->UpdateEmployee("FirstName","Bobby",$empid);
?>

Well that’s my sample. Its pure rough draft, and probably won’t even work properly, but I am conveying the IDEA of OOP and employees. Think how much smoother your code would be if you created a few forms asking for employees IDs and it loads it, or allows the HR Department to enter a new employees info straight into the database on a very simple form. Good luck with this! Let me know if there are any other problems I can help with!

<?php
$name=$_POST['name'];
$pass=$_POST['pass'];
$sql="SELECT * FROM Users WHERE Name='$name' AND Pass='$pass'";
?>

This would work perfectly, and would allow people to log in. It would also allow people to SQL inject it. What if they typed this in:

Well our SQL statement ends up looking like this:
SELECT * FROM Users WHERE Name='admin' AND Pass='admin' OR 'x'='x'
‘x’='x’ is a TRUE statement 100% of the time, so as long as ‘x’='x’, it will pull up all the info you needed, and suddenly you are logged in. This is probably the easiest SQL injection around, and does work on occasion. There are hundreds of SQL injections, and a poorly coded site will always be susceptible. Not only are people able to log into a site as an administrator, but they can display login info using UNION statements.
One other way good programmers tend to get lazy is through their “GET” variables. A lot of times programmers will pass variables in the URL bar: http://www.mysite.com/view.php?id=123. There is nothing wrong with this, in fact, everyone does it and will continue to do it because it is efficient and easy to do. The problem comes when people SQL inject that variable: view.php?id=123′ and ‘x’='y. This particular injection allows a hacker to test your site for susceptibility to injections in the URL bar. If you didn’t protect your variables, your SQL statement would look like this if it wasn’t protected: "SELECT * FROM Info WHERE Id='123' and 'x'='y'". If it wasn’t protected, the hacker would see a page with NO info on it, or an error because ‘x’ NEVER equals ‘y’ and is a FALSE statement. If they see a blank page or an error, they know they can continue their attack and eventually gain access to all of your information.

My goal is not to teach you how to hack, but rather how a simple PHP object exists and will help you avoid these types of attacks. That object is PDO. It comes standard with the latest releases of PHP and can be used to prevent SQL injections very simply. PDO is a database object, that allows you to connect to a variety of different databases, send queries, and display the results. It actually is a bit easier to code than actual mysql in PHP, but it is a complete 180 from what you have been taught using w3schools and tizag.com. I don’t really want to get into a tutorial of PDO either because there are quite a few on the internet that explain it much better than I can right now. I recommend checking out http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html to get a grip on the basics of how PDO works. The one thing that this tutorial does NOT explain is the “prepare” function. He only goes into it slightly, but doesn’t describe what it does exactly. Prepare() simply checks for all types of quotes and makes sure that no SQL injections can get through. Here is a quick example:

<?php
$mysql_host="localhost";
$mysql_user="root";
$mysql_pass='';
$mysql_database="epco";
try {
    $dbh = new PDO("mysql:host=$mysql_host;dbname=$mysql_database", $mysql_user, $mysql_pass);
    /*** create the statement ***/
    $stmt = $dbh->prepare("SELECT * FROM users WHERE user = :user AND pass = :pass");
    /*** bind the paramaters ***/
    $stmt->bindParam(':user', $_POST['user'], PDO::PARAM_STR);
    $stmt->bindParam(':pass', $_POST['pass'], PDO::PARAM_STR);
    /*** execute the prepared statement ***/
    $stmt->execute();
    /*** close the database connection ***/
    $dbh = null;    
}catch(PDOException $e){
    echo $e->getMessage();
}
?>

When we prepare our statement, we use a place-holder that will later assign a variable to. When that statement is executed, all our quotes are removed or slashed. $_POST['user']="admin' OR 1=1"; typically becomes $_POST['user']="admin\' OR 1=1"; and your database is protected from the attacks.

In conclusion, I am not advocating PDO and saying only to use that and nothing else. I use a database class that is much smaller and does what I need it to do. I have spoken with other programmers who have created their own class to add/strip slashes, rawurlencode/decode, and htmlspecialcharacters and connect to their databases. PDO was created as a “universal” database object that can do whatever you want it to do with several different databases. It is awesome and will go a long way to protect your site from SQL injections if used properly. The prepare statement is simple, but doesn’t protect against EVERY type of attack. Don’t be fooled into a false sense of security just because you are using a PHP object. XSS, javascript injections, and bruteforce, attacks are all still possible even if you use this class. Be careful in what you code, and fix any code when the holes are found by users or when you are hacked.

Step 1 – Create a new table!
Go to your MySQL database and create a table called “wp_counter” with 2 fields: Post_Id and Count. Both are Int with length 10. Here is the SQL code you can copy and paste to make it a bit shorter:
CREATE TABLE `wp_counter` (`Post_Id` INT( 10 ) NOT NULL , `Count` INT( 10 ) NOT NULL)

Step 2 – Editing post-template.php
This is the file that is used to display your posts (not the snippets on your front page, but full out posts). It is located in the “wp-includes” directory.
Open post-template.php for editing.
Search for a function called “the_content()“. It typically starts on line 165 should look like this:

165
166
167
168
169
170

function the_content($more_link_text = null, $stripteaser = 0, $more_file = '') {
	$content = get_the_content($more_link_text, $stripteaser, $more_file);
	$content = apply_filters('the_content', $content);
	$content = str_replace(']]>', ']]>', $content);
	echo $content;
}

So what we want to do is make it so that every time it shows the content, it will update the count and display it to the user. So we are going to change that function to look like this:

165
166
167
168
169
170
171
172

function the_content($more_link_text = null, $stripteaser = 0, $more_file = '') {
	$content = get_the_content($more_link_text, $stripteaser, $more_file);
	$content = apply_filters('the_content', $content);
	$content = str_replace(']]>', ']]>', $content);
	echo $content;
	update_count();
	echo"<small><i>Views: ".get_content_views()."</i></small>";
}

And immediately following that, we are going to add a couple functions:

173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

function update_count(){
	global $wpdb, $id;
	if($wpdb->query($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"))==0)
		$wpdb->insert("wp_counter",array('Post_Id'=>$id,'Count'=>1),array('%d','%d'));
	else {
		$row=$wpdb->get_row($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"),ARRAY_A);
		$count=$row['Count']+1;
		$wpdb->update('wp_counter',array('Count'=>$count),array('Post_Id'=>$id),array('%d'),array('%d'));
	}
}
function content_views(){
	global $wpdb, $id;
	$row=$wpdb->get_row($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"),ARRAY_A);
	echo $row['Count'];
}

That’s it! So your finalized post-template.php will look like this:

function the_content($more_link_text = null, $stripteaser = 0, $more_file = '') {
	$content = get_the_content($more_link_text, $stripteaser, $more_file);
	$content = apply_filters('the_content', $content);
	$content = str_replace(']]>', ']]>', $content);
	echo $content;
	update_count();
	echo"<small><i>Views: ".get_content_views()."</i></small>";
}
function update_count(){
	global $wpdb, $id;
	if($wpdb->query($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"))==0)
		$wpdb->insert("wp_counter",array('Post_Id'=>$id,'Count'=>1),array('%d','%d'));
	else {
		$row=$wpdb->get_row($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"),ARRAY_A);
		$count=$row['Count']+1;
		$wpdb->update('wp_counter',array('Count'=>$count),array('Post_Id'=>$id),array('%d'),array('%d'));
	}
}
function content_views(){
	global $wpdb, $id;
	$row=$wpdb->get_row($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"),ARRAY_A);
	echo $row['Count'];
}
function get_content_views(){
	global $wpdb, $id;
	$row=$wpdb->get_row($wpdb->prepare("SELECT * FROM wp_counter WHERE Post_Id='$id'"),ARRAY_A);
	return $row['Count'];
}

Now every time someone visits the page, they will see how many other people have viewed that page!