Training, Open Source Programming Languages

Print friendly page
Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
For 2023 (and 2024 ...) - we are now fully retired from IT training.
We have made many, many friends over 25 years of teaching about Python, Tcl, Perl, PHP, Lua, Java, C and C++ - and MySQL, Linux and Solaris/SunOS too. Our training notes are now very much out of date, but due to upward compatability most of our examples remain operational and even relevant ad you are welcome to make us if them "as seen" and at your own risk.

Lisa and I (Graham) now live in what was our training centre in Melksham - happy to meet with former delegates here - but do check ahead before coming round. We are far from inactive - rather, enjoying the times that we are retired but still healthy enough in mind and body to be active!

I am also active in many other area and still look after a lot of web sites - you can find an index ((here))
An example of an injection attack using Javascript

Delegates sometimes ask me what an "injection attack" is, and for examples. I came across a really good example this morning on (oops!) one of our own pages - it's now fixed, but I'm documenting here and showing you what was happening so that you can learn from it.

Visiting one of the most popular pages on our web site this morning, all the expected content came up, but then this popup came on top of the page. It had me rather worried - the Image upload, store on database, retrieve, send back to browser demonstration is one of the busiest on our web site, and it had suddenly started coming up with this message. I tried it several times, and it was consistent - so it wasn't a genuine "database busy" message.


What had happened? We have a "review this page" facility on may of the pages on our web site - it encourages visitors to add comments. The comments don't get directly posted, but come to me for approval - this means that I can eliminate adverts for Viagra. And I had just approved a series of posts. Several of them were technical - included code - and I had overlooked the need to add in a call to htmlspecialchars. One of the visitor comments included:

die ("<html><script language='JavaScript'>alert('Unable to connect to database! Please try again later.'),history.go(-1)</script></html>");

which - alas - caused the script (which was being sent out to the browser) to run the Javascript ... outputting to the screen, then reverting to the previous page if the database was missing.

Cure? Simply adding an htmlspecialchars on each comment, problem fixed. I'm reluctant to call an "injection attack" as I don't think that the commenter was actually malicious - he was helpful, but he just caught me out. But what a great example of the sort of user input you need to be so careful to protect against!
(written 2010-02-08, updated 2010-02-11)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
W602 - Web and Intranet - Client Side Technologies
  [411] Javascript examples (some PHP and MySQL too) - (2005-08-13)
  [522] Javascript events - a good example - (2005-12-09)
  [1322] Flash - is it available to your web page? - (2007-08-26)
  [1681] Adding a button to a web page to print the page - (2008-06-18)
  [1749] Using server side and client side programming together - (2008-08-11)
  [1812] Starting Ajax - easy example of browser calling up server data - (2008-09-27)
  [1813] Ajax - going Asyncronous and what it means - (2008-09-28)
  [1814] Javascript/HTML example, dynamic server monitor - (2008-09-28)
  [2390] Dynamic / changing images on your web page - (2009-09-01)
  [3128] How does your browser find out about itself? - (2011-01-11)
  [4277] Sending a message to the server and changing text on a page when a button is pressed - (2014-05-23)
  [4310] Problem ... I want to print a series of numbered forms - (2014-10-05)

W510 - Web and Intranet - Executable Content
H117 - Security in PHP
  [345] Spotting a denial of service attack - (2005-06-12)
  [426] Robust checking of data entered by users - (2005-08-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [947] What is an SQL injection attack? - (2006-11-27)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1747] Who is watching you? - (2008-08-10)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)

H113 - Using MySQL Databases in PHP Pages
  [104] mysql_connect or mysql_pconnect in PHP? - (2004-10-30)
  [515] MySQL - an FAQ - (2005-12-03)
  [572] Giving the researcher power over database analysis - (2006-01-22)
  [581] Saving a MySQL query results to your local disc for Excel - (2006-01-29)
  [647] Checking for MySQL errors - (2006-03-15)
  [666] Database design - get it right from first principles - (2006-04-02)
  [723] Viewing images held in a MySQL database via PHP - (2006-05-17)
  [915] Paging through hundreds of entries - (2006-11-05)
  [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22)
  [1010] Dates, times, clickable diarys in PHP - (2006-12-28)
  [1561] Uploading to a MySQL database through PHP - examples and common questions - (2008-03-02)
  [1983] Keeping PHP code in database and running it - (2009-01-09)
  [2071] Setting up a MySQL database from PHP - (2009-03-08)
  [2259] Grouping rows for a summary report - MySQL and PHP - (2009-06-27)
  [2320] Helping new arrivals find out about source code examples - (2009-08-03)
  [2432] Using print_r in PHP to explore mysql database requests - (2009-10-01)
  [2447] MySQL stored procedures / their use on the web from PHP - (2009-10-10)
  [2561] The future of MySQL - (2010-01-03)
  [3035] How to display information from a database within a web page - (2010-11-07)
  [3455] MySQL, MySQLi, PDO or something else - how best to talk to databases from PHP - (2011-09-24)
  [4378] What FGW passengers want to talk about / and PHP programming to find out - (2015-01-01)
  [4483] Moving from mysql to mysqli - simple worked example - (2015-05-03)


Back to
Saturdays out from Melksham - to Oxford, to Didcot or to Swindon
 Previous and next
or
Horse's mouth home		 Forward to
Curly braces within double quoted strings in PHP
Some other Articles
Shipping a test harness with your class in PHP
How to show a large result set page by page in PHP
Static variables and ampersands in PHP
Curly braces within double quoted strings in PHP
An example of an injection attack using Javascript
Saturdays out from Melksham - to Oxford, to Didcot or to Swindon
On Malachite Green
Both feet on the same pavement
Skyline and looking up in London
Object Oriented Ruby - new examples
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
You can Add a comment or ranking to this page

Like this? ??

Related short articles
Python examples - updates under way
When to check an object type - Python isinstance example
with in Python - examples of use, and of defining your own context
Programming with random numbers - yet re-using the same values for testing
Real life PHP application using our course training MVC example
Ruby testing with RSpec - a new example
Expect with Ruby - a training example to get you started
Exceptions in Ruby - throwing, catching and using
Alternating valuses / flip-flop / toggle - example in Ruby
Separating detailed data code from the main application - Ruby example
Recursion in Python - the classic example
Unique word locator - Python dict example
Object and Static methods - what is the difference; example in Python 3
What are callbacks? Why use them? An example in Python
Using an MVC structure - even without a formal framework
String handling in C - new examples of extracting integers from a string
Singleton design pattern - examples and uses
Perl 6 - a Practical Extraction and Reporting example!
Pytest - second example beyond hello world
Pytest - starting example
Using Perl 6 to analyse and report on data
XML handling in Python - a new teaching example using etree
Principles or a GUI and their practical application using wxPthon
Thin application, thick objects - keep you main code simple. Example in Ruby
Easy example - data record to object and object to data record mapping in Ruby
Behaviour and test driven development in Ruby using RSpec
Lua - using modules to add your own utilities
RUby - loading, using, changing, storing JSON format data
RSpec - Ruby testing (stand alone example / no cucumber)
example of SQLite using a local database file through SQLalchemy
SQLAlchemy - first examples with a Python Object Relationship Mapping system
Tcl - a new example for data reformatting
Separating your code for easier testing, understanding and re-use; example in Ruby
Misusing statistics? - the seedy side of election campaigning
Server program written in Tcl using sockets
Using Object Oriented Tcl and the Tk toolkit together - real life example
A new Tcl/tk example - a window to show system status
Test framework for TCL - Tcltest - some examples
Objects in Tcl - iTcl - updated first steps example
Working out distance between places, using OS grid references and a program in Tcl
Using the lead - passing arrays and other collections in Java
Java example - for loop and conditionals from course exercise
Java Inheritance example - group of classes - step by step
A good example of recursion - a real use in Python
Setting up and using a dict in Python - simple first example
Java Utility class - flexible replacement for array. Also cacheing in objects and multiple catch clauses example.
Philosophy behind object design - and how I applied in to a Java example
Cucumber example - test::unit, scenario outlines, datafile driven test
Global Regular Expression matching in Ruby (using scan)
Final examples for 2014 - and a look at our 2015 training course options
Test driven development, and class design, from first principles (using C++)
Why are people using the TransWilts?
Conditionals, loops and methods in Ruby - a primer with simple examples
A behaviour driven example of writing a Java program
Python base and inherited classes, test harness and unit testing - new examples
Simple C structs - building up to full, dynamic example
Test Driven Development - a first example of principle in C
Musings on a Welsh town
Java - factory method, encapsulation, hashmap example
An example of Model-View-Controller techniques in a Perl / CGI script
Identifying and clearing denial of service attacks on your Apache server
Lazy operators in Lua - what they mean, and examples
Using Python to analyse last years forum logs. Good coding practise discussion.
Lists in Tcl - fundamentals in a commented source code example
Tcl + Tk (Wish) - an introduction and revision example
Using our non-found page to help look for missing persons
Using your own laptop on our courses - now even easier!
Using object orientation for non-physical objects
Perl design patterns example
Python network programming - new FTP and socket level examples
Cacheing class for Python - using a local SQLite database as a key/value store
JSON from Python - first principles, easy example
Further recent PHP examples
Learning about Object Orientation in PHP - a new set of examples
Sessions, forms and validation in CodeIgniter - early examples
stdClass in PHP - using an object rather than an associative array
Using web services to access you data - JSON and RESTful services
A couple of new fast-start PHP examples
Using Pygments to colour our training examples
Exception, Lambda, Generator, Slice, Dict - examples in one Python program
© WELL HOUSE CONSULTANTS LTD., 2025: 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/2628_.html • PAGE BUILT: Sun Oct 11 16:07:41 2020 • BUILD SYSTEM: JelliaJamb