The good news is you can quite easily reduce the risk of an injection attack. They take place when a site allows data input fields on a form access to basic SQL commands. By adding extra words to the end of a form input field SQL statements can be run in addition to the original designed statement. These commands can be quite simple for example, firstly select a list of tables, then select the data in the tables. As this operates at the database layer a connection has already been made by the software to the database so login details aren’t required.

There are simple functions that use basic escape mechanisms to protect the data input. The most common  is escaping the data, which may not be the strongest security measure. The input string is read and if the function finds certain characters it will ‘escape’ or add a ‘\’ character in front of the relevant character. There are still ways around this so to be safe the query to the database should be ‘parameterized’ that is the input string is broken up and selected parts are passed to the SQL query. Basic functions exist in most programming languages to do this task.

 Better yet, and good practice anyway, is to use stored procedures as these are totally parameterized. It isn’t particularly complicated, but it is a bit of a pain to do … if in doubt ask your web designer!

As developers we are on scores of mailing lists, and it is no surprise to find that the bulk of our alerts come from the security business sector. Usually alomg with a ‘cure’ for the particular ailment. It seems to be a bit like going to the Doctor and being advised to take cough medicine from his own brand medicines, even if you only went with a sore foot.

It is pity really, as it can take a bit of time to sort the wheat from the chaff, or coughs from the limps.

The key theme that comes through again and again is that you must keep yourself secure, regular password changes, careful of the type of data you put out onto the internet, check privacy policies etc..

For those of you who might remember Hill Street Blues the phrase goes – ‘Let’s be careful out there!’

Using the same tools as we use for our modem development software it is poosible to create an app that steals your data.

http://www.bbc.co.uk/news/technology-10912376

The main reason for this is that there is one key difference between PC and mobile hacking. With a PC the user needs to be enticed to a web site to download something onto the PC. It might be a key logger or phishing scam that offers a tax return/lottery win etc. However, on a mobile the connection to your finances is already made as everything you do on a mobile has a charge.

This is the reason why mobiles are so at risk; your mobile could download an app that uses your credit to dial premium rate numbers and you won’t find out until your next bill. The ‘money’ already exists to be taken.

Moral of the story – Don’t buy illegal apps. It is said that up to 90% of certain apps on mobiles are illegal downloads – that is one vulnerability. Code can be inserted into current popular apps and then offered for free, with the extra code and none of the protection of purchasing from the legal supplier.

I was surprised as this was a technically savvy user. So I tried to explain the rationale behind using ‘labels’ on a set of binary combinations and realised that I learnt hex as a Unix user as part of the package without really thinking too deeply.

It all stems from Binary, and I suggested that he think about the World cup, 1 winner, 2 finalists, 4 semi-finalists, 8 quarter-finalists, 16 round qualifiers, 32 top of pool teams. Each step is a doubling (or halving) of the teams. So in the same way we have in ’colums’ 1,2,4,8,16,32.

The real trick though is understanding that binary is not a left-to-right read. It is a right-to-left read so the world cup draws would actually be 32,16,8,4,2,1

If you want to express the world cup winner in a way that is simple, take the first ‘column’ and turn this from 0  to 1. As there are two finalists you make the first column 0 and the second 1 making a representation of 10. Third would be a 1 + 2 so that would represented as 11.

This continues and as you add more teams you may want to represent the whole 32 so you can position every team. Therfore to be fourth becomes 100 and so on. Twentieth is 16 + 4 so 10100. Thinking of it in that sense let him see that 16 isn’t actually a number, but a state, a ‘label’ for a binary code of 10000. It also helped him understand the funny numbers used, 512 1024 etc. in computing terms. It is a lot easier to put F on a keyboard input than 010000.

So as a Rugby Union fan I can at last say that football does indeed have some use!