The day when affirmative Sentences turnd into Interrogative....

You must be surprized by this childish title. but its about my child only; so i chose this one. It seems my daughter is growing too fast and getting crazy and stubborn at twice speed. She is going to be Two Year in this September.

This is the age when kid try to copy each and every action of your so is Ishwin. She seems to learn some thing very fast and some thing which is in our favour she never even bother to learn. Now a Parent can understand what are the things which we parent really matters. :(

Now about title , this is after two three days we relized that our asking her questions has changed her new found linguistic understanding a little. and again this is of NOT in our favour again.
Whenever she wanted some thing earlier she used to say
"Mumma Khana khana hai",
"Mumma Doodh peena hai",
"Papa ghunni chalna hai",
"Papa choket khana hai"
"Mumma Gali(Gadi Any 2Wheeler) pe bethna hai"

And I used to be Proud of her as she was mearly One and Half year old and can say many things as compare to other children of her age.
Now she is about to be Two in Sep/10. Now she still says all these sentences but end always have a new Word "KYA".
Yes now all her sentences end with question mark and i bluntly say Yes or No to all her questions.
Thanks to her Mumma who said me She is not asking question she wants you to do that thing.

So Now when she wants me make her sit in Gadi She says "Papa Gali me bethna hai kya?" and when she wants to eat she will say "Mumma khana khana hai kya?" or any of above sentences which still have the same meaning for her and still she says even more clearly but Sentences are turnd Interrogative......

SQL Injection

In my last article I discussed about the performance issue with SQL Cursors. In this article I would like to discuss about the Database Security.

What is SQL Injection?

As name suggests, it is special kind of Sql attack on your database. And your Application is the interface for this Attack. Here attacker enters some invalid string sequence in the user input Form or web Page and submit it. These strings may perform some destruction activity in your database.

While developing Web Site we always think about security, user Privilege, Authentication, Authorization, SSL and all… But despite Sql Injection fatality it is not given due attention this is what my perception.

I directly start with an Example.

Example:

This is what my simple Login Method does. Here I am not validating the user inputs. This is a hypothetical example of user login. Here I am using normal SQL to check whether User is Exist or Not.

try

{

using (SqlConnection cn = new SqlConnection())

{

cn.ConnectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ToString();

cn.Open();

SqlCommand comLogin = new SqlCommand();

comLogin.Connection = cn;

comLogin.CommandType = CommandType.Text;

comLogin.CommandText = "Select * from Users where UserName= '" + txtUserName.Text + "' and " +

"Password = '" + Password.Text + "'";

SqlDataReader dr = comLogin.ExecuteReader();

if (dr.Read())

{

// Succsess

Response.Redirect("LoginSuccess.aspx");

}

else

{

// Failure

Response.Redirect("LoginFail.aspx");

}

}

}

catch(Exception ex)

{

throw ex;

}

In above example I am directly taking the user input from controls.

Now suppose I do enter User Name as Nitin and Password as ‘; Drop Table Users -- ‘ and press Login button. You just guess what damage will be caused by this.

If your Sql profiler is on you will find some thing like below is executed.

Select * from Users where UserName= 'nitin' and Password = ''; drop table Users --''

Above command actually executes two SQL queries.

1. Select * from Users where UserName= 'nitin' and Password = '';
2. drop table Users --''

End result, I do not get any record but Users table is dropped. Instead of dropping the Table, you can write some other command which can update existing records or even insert new record.

Or you can just trace pass this login validation by entering password as ' or 1=1 ---'

It makes end sql statement like this.

Select * from Users where UserName= 'nitin' and Password = '' or 1=1 ---''

It always returns records because 1 = 1 is always true.

By now we understood this attack can be performed by skilled attackers like you and me. J

There are many more ways or variety of Inputs an attacker can perform and cause following damages.

• Delete, update, and insert the data in tables.
• Change existing important data like Email Id for particular user and can get other information.
• Get the information about the existing tables and Columns of database.
• Drop the entire table.
• Shut down the Sql Server itself by executing command for this.
• Insert some commands or executable statement in table which may later on cause some damage.
• Get the information about the Machine which is hosting the Sql Server by executing some system procedures.

And many more ………..

All depends on Attackers expertise with SQL

What can we do to avoid these attacks and make the system more robust?

1. Replacing Single Quote with Double Quote

I think everybody has used this line of code.

serName.Text.Replace("'","''")

Generally here we are replacing any single quote with Double one. Actually to save Single Quote we have to replace single Quote with Double quotes, that is what we did here. But knowingly or unknowingly we avoided many Sql Injections too.

2. Validate the input for its type and length.

We may have user input where we expect the numeric value. Just replacing the single Quote with double will not work in this case. Suppose your SQL query is expecting a numeric value and with out validation something like “1; Drop table Users” is passed to your Query. Check this SQL

Select * from Users where UserID = 1; Drop table Users

In above example user write a numeric value “1” which application is expected and then put a semicolon “;” which ends first SQL query and then wrote “Drop table Users”. This will do all the damage. To avoid this we should always validate the Data at first place. We should validate our data for type, Length, escape sequences, etc.. Never build your query directly from User Input, just like what I did in my example. ;)

3. Use Parameterized Dynamic SQL or Parameterized Stored Procedures.

Using parameter collection has two advantages.

• Whole Input will be treated as Literal value not an executable code. So even you enter password ‘; Drop Table Users -- ‘. It will do no harm at all like it did in case of direct SQL.
• You can validate the input for its type and length like below.

comLogin.Parameters.Add("@UserName", SqlDbType.VarChar, 5);

4. Do not show end user actual database error.

Error message can have information about your database schema, which can be used by attacker for Sql Injection. It is good practice to show the User a general user friendly error message and log the actual Error in Database.

5. Always store the confidential data in Encrypted format

It is a good practice to store the confidential data in encrypted format even you are taking all the precaution to avoid any SQL Injection.

6. Do not use Admin user account

If not necessary do not use Admin user or user with Owner rights for connection the database.Better use an account with less privileged, which can perform only the necessary SQL Operations.

References:

• http://unixwiz.net/techtips/sql-injection.html
• http://msdn.microsoft.com/en-us/library/ms161953(classic).aspx
• http://msdn.microsoft.com/en-us/library/ms998271.aspx
• http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Sql Cursors

Hello Coders,

As we all know Sql Cursors, We used them for performing a certain operation in each row of record set, but why should we avoid using them?

Yes, Cursor hampers the performance.
They can lock the “Tables” which are used for populating it, so other users can not be able to update those tables while the Cursor is open.
So considering a long running cursor operation, situation can be very worst.

Some times we may get better execution time in cursor as compare to complicated T-Sql commands which we used to avoid cursor, but still cursor will lock the tables for other users so it may increase the execution time for other users.

We should considering all scenarios before opting for Cursor.

Here are some tips on avoiding Cursors:

• Do not write cursor for performing the same task on each row. Use T-SQL queries, even we may have to write many. It still gives far better performance.

• We can use "Case" statements for conditional updating in records.

• Use Temporary table "#TableName" for some subset specific changes in a table. We can also use "TABLE" variable type which available in Sql Server 2000 and upper version.

• Make use of "Derived Tables", which are also temporary tables.

• Use the "While" loop, because unlike cursors "while" loop doesn't lock the tables while looping through.

Here in this post I am not using any code sample or Syntax being a lazy bum. ;)
But these leads are more then enough for a smart coder like you.
Happy Coding
Cheers,
Nitin

Ishwin's First B'Day

My Daughter Ishwin is now One Year Old..and I am one year old father. :) To celebrate this occasion we had a small party. Here you can find all the actions.

Ishwin's First B'Day

A Trip to Zipli Lake

This was another weekend and was just about to finish as usual. We were planning to visit some near by places.

I picked up phone called some friends to execute the plan, but every body has some prior booking :(
Then my friend Sumeet called me and tell me a place called Zilpi which is just 25 Km from Nagpur.
So He called other colleagues and finally we all left at three.

Atmosphere was cool and pleasant.
On our way to Zipli we faced couple of rain showers making the environment cooler. It seemed rain god was playing Hide and Seek with the Sun.
All in all a perfect timing for an outing and we were the Perfect people. ;)

As “No” one from us had visited the spot before so we kept asking the path to people to make sure we are on the right direction.
After crossing Hingna we stopped to a Tea stall beside the street. As this is far from City we expected a good Doodh wali Chaye here.

While sipping our Teas, Sumeet went ahead and asked the Tea Wala , "Jhilpy Lake khute aahe" in Marathi, and that tea waala so enthusiastic to help us ,he narrated all the path in very detail but alas all in Marathi. And we understood a little, but mistake or rather say over smartness of my friend, is all on our part.
All we could understand we were near to our Spot. Ah ha but I forgot, yes tea was really good seemed no water, pure milk and kadak Indian Tea.
After five minutes of drive we reached our destination.

Place has a beautiful small lake surrounded by beautiful lush-green landscape and a Small Hill.

I wonder had it been summer time what could have this place to offer us. Any way this was not the damn summer of Nagpur and we were not there to think about the past or future of that place.
We were just out there for fun, to enjoy and really desperate to give a break to our daily monotonous life which we left back 25 KM from here.
So we spent our time as we liked , My daughter is very fond of water so first we played in water with her, Snehal seemed a serious photographer and was keen about capturing all the moments and beauty of the place.


Ishwin was keeping Sumeet, Munira, Snehal and I busy with her self. So her Mom finally got some time to sit and rest peacefully on the bank of the lake.

After some time we had a walk towards the Hill, We also climbed up that small hill, Spent some time in shooting and had chit-chat and fun...

Finally got back to lake again ...spent some time the same way and got back to Car. As soon as we all settled in the Car Rain god again appeared. But this time with no light shower...A heavy down pour, like he is saying “Guys fun time is over get back to your work.” And we drove away towards Nagpur.
After one hours of Drive we were back in the City. We all liked the place very much which later inspired some of our Enthusiastic colleagues to make Eco-Friendly Cycle Expedition to this place.

A Trip To Pachmari(Part Two)

We planned to cover most of the points 2nd Day, so we had Hired Zipsy at last night only.
I woke up at 7 morning; Atmosphere was cool and pleasant. We spent some time in the Hotel’s Garden. There were lots of monkeys playing at Roof and Trees. One needs to be careful about them. Soon we realized it was already 9 so what happened to our Zipsy wala…but mistake was on our part as Zipsy wala was already waiting for us outside of the Hotel.
We had some snacks at market place, and then finally went for Entry Ticket and Guide.
Guide is compulsory, but as we were already late there was no guide available for us.
After this our 2nd day tour started.
First we went the Pandava Caves. There was a beautiful and well maintained garden in front of the cave. We were not willing to spend much time over there as it was noon and Sun was on its peek. Had we visited this place at some other season we would have spent a quality time over here.

So we quickly wind-up there and went for Apsara Vihar. Here we hired a guide who narrated us all the stories about this Water Fall and pond. First he told us about the historical Importance and why it is called Apsara Vihar? ," During British rule in India, British women were used to take bath here and they were referred as fairies (Apsara) by local tribes because of their fairer complexion.” 

This place was also used as shooting spot in one of the great indian movie "Ashoka", starring SRK and Kareena Kapoor. Guide Told us many action sequences of SRK were performed by a duplicate. 

I was too tired by then as I was carrying my daughter too and she was 9 kg. Place was really cool, we had fun in water for some time, then we continued from a different path, guide showed us Panchali Kund in our way back to taxi.

We went to visit a spot called Rajat Prapat(Silver fall), as name suggests it was a waterfall in deep valley and we were watching it from far away opposite direction, so it seemed like a thin silver line.

After that we went to B-Fall , another water fall and another tracking L
 here too we had to walk almost one and half Km but fortunately this time a bearer (Pittu) was with us to carry our children and our belongings.

This was quite a big water fall in comparison to Apsara Vihar. One can have a really good massage under this, as water was falling with great force. As we were with our kids, we decided not to take bath here and we went up on our way back to a place where water was flowing with little less current and was not deep enough. We really had great time here especially my daughter. She was first time in water but she was not afraid at all and had too much fun in water. Every body was just watching her playing and laughing.
Soon we realized we were too late from our scheduled time of return. We could have missed our last point “Sun set at Dhoop Gadh”. Our Driver was waiting for us (Seemed he wanted us to be late so that he could skip this last point so be aware of these drivers when you visit there and always keep an eye on time). He was in no mood of taking us to Dhoop Gadh saying "it is already 5:30 and we are too late, gates must be closed by now" but we told him just to drive. He reluctantly drove us to our last spot. Dhoopghad is the highest point of Pachmari as well as Madhya Pradesh. Way to Dhoopgadh was zigzagged with lots of sharp turns. Being a local driver and with Four wheel drive Zipsy, we were expecting him to navigate swiftly in these curves but he was driving damn slowly. I bet my friend Vijay could even drive it faster than him. Soon a Maruti 800 overtook us; I doubted about this small car reaching the destination. But it was moving up slowly so we had to be slower …
But woohooo!!! Car reached the gate and gate re-opened for them so we finally entered the Point at the perfect time. Here it was like we are all above the world; Sun was ready to disappear behind Satpura Hills.

It was a panoramic view to see the Sun setting down in Clouds and Hills. Sun set has never been so beautiful in my life. I took lots of snaps of this beautiful scenic view. This was the end of second day tour for us. We were about to return home next day.

 

A Trip To Pachmari (Part One)

It was just end of April Month and Mercury had already hit 48 degree. I had already planned to go nearest Hill Station Pachmari to beat this heat.
After a long time I was going for Vacation. Though this is not the place I was going first time, but feeling was no different. As this was the first time I was going after marriage. Also it was the first long trip for my sweetheart daughter Ishwin. She was just seven and half month old. I and my wife Goldy were more concerned about her rather than places we were about to visit.

We left Nagpur early morning at seven o’clock in my friend's brand new Hundai i10. We were already late by one hour from our scheduled time. Road was good up-till now. We reached Chindwada at 10. We took a halt there for refreshment at Raj Garden. We had Parathas and Chach(Butter Milk) at its lush green lawn. Our children had a great time toddling here and there. We finally left for Pachmari at 11 AM.

After some miles only, my friend realized it was better to come by taxi as most of the road is missing from the place it should be. We saw Work is in progress board every where but really was it? Don’t know.
We covered this half distance nearly in 4 hours and reached Pachmari at 3 PM.
We had advanced booking of two hutments in Hotel Highland & Resort from MP Tourism. Our rooms were not as good as we expected and the service was as pathetic as the Roads of MP. After little rest we went for some sightseeing. Though it was noon but temperature there was not more than 35 degree. Thanks to greenery caused by Mangoes , Sal Trees which covered almost 90 percent of Jungle. 

First we hired a guide, took some snacks at a local restaurant and moved ahead to  cover some points near by.
We visited Handi Khoh, Bada Mahdev, Priyadarshni, Green Valley and then finally for Sunset at Rajendra Giri.

We all were too tired by then. We had dinner at Hotel Maheshwari located in the city. Food was really really good. Attending staff was good; they provided us food suitable for our children.

So we made up our mind for now onwards taking food from here only.