Online Earning - Please paste URL and use ads in your website
(1)Past Url - Click Here for free ads publishing (2) Click On Publisher then fill reg. (3) Now create your account and login and create code for ads ans paste script code in your blog website any where free without any cost
The scope of web hosting services varies greatly. The most basic isweb pageand small-scale file hosting, where files can beuploadedviaFile Transfer Protocol(FTP) or a Web interface. The files are usually delivered to the Web "as is" or with minimal processing. ManyInternet service providers(ISPs) offer this service free to subscribers. Individuals and organizations may also obtain Web page hosting from alternative service providers. Personal web site hosting is typically free, advertisement-sponsored, or inexpensive. Business web site hosting often has a higher expense depending upon the size and type of the site.A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their websiteaccessible via the World Wide Web. Web hosts are companies that provide space on a server owned or leased for use by clients, as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for other servers located in their data center, called colocation, also known as Housing in Latin America or France.
The host may also provide an interface or control panel for managing the Web server and installing scripts, as well as other modules and service applications like e-mail. Some hosts specialize in certain software or services (e.g. e-commerce), which are commonly used by larger companies that outsource network infrastructure.
The availability of a website is measured by the percentage of a year in which the website is publicly accessible and reachable via the internet. This is different from measuring the uptime of a system. Uptime refers to the system itself being online, however it does not take into account being able to reach it as in the event of a network outage.
A hosting provider’s SLAs may include a certain amount of scheduled downtime per year in order to perform maintenance on the systems. This scheduled downtime is often excluded from the SLA timeframe, and needs to be subtracted from the Total Time when availability is calculated. Depending on the verbiage of an SLA, if the availability of a system drops below that in the signed SLA, a hosting provider often will provide a partial refund for time lost.
Many large companies that are not internet service providers need to be permanently connected to the web to send email, files, etc. to other sites. The company may use the computer as a website host to provide details of their goods and services and facilities for online orders.
Free web hosting service: offered by different companies with limited services, sometimes supported by advertisements, and often limited when compared to paid hosting.
Shared web hosting service: one's website is placed on the same server as many other sites, ranging from a few to hundreds or thousands. Typically, all domains may share a common pool of server resources, such as RAM and the CPU. The features available with this type of service can be quite basic and not flexible in terms of software and updates. Resellers often sell shared web hosting and web companies often have reseller accounts to provide hosting for clients.
Reseller web hosting: allows clients to become web hosts themselves. Resellers could function, for individual domains, under any combination of these listed types of hosting, depending on who they are affiliated with as a reseller. Resellers' accounts may vary tremendously in size: they may have their own virtual dedicated server to a colocated server. Many resellers provide a nearly identical service to their provider's shared hosting plan and provide the technical support themselves.
Virtual Dedicated Server: also known as a Virtual Private Server (VPS), divides server resources into virtual servers, where resources can be allocated in a way that does not directly reflect the underlying hardware. VPS will often be allocated resources based on a one server to many VPSs relationship, however virtualisation may be done for a number of reasons, including the ability to move a VPS container between servers. The users may have root access to their own virtual space. Customers are sometimes responsible for patching and maintaining the server.
Dedicated hosting service: the user gets his or her own Web server and gains full control over it (user has root access for Linux/administrator access for Windows); however, the user typically does not own the server. One type of Dedicated hosting is Self-Managed or Unmanaged. This is usually the least expensive for Dedicated plans. The user has full administrative access to the server, which means the client is responsible for the security and maintenance of his own dedicated server.
Managed hosting service: the user gets his or her own Web server but is not allowed full control over it (user is denied root access for Linux/administrator access for Windows); however, they are allowed to manage their data via FTP or other remote management tools. The user is disallowed full control so that the provider can guarantee quality of service by not allowing the user to modify the server or potentially create configuration problems. The user typically does not own the server. The server is leased to the client.
Colocation web hosting service: similar to the dedicated web hosting service, but the user owns the colo server; the hosting company provides physical space that the server takes up and takes care of the server. This is the most powerful and expensive type of web hosting service. In most cases, the colocation provider may provide little to no support directly for their client's machine, providing only the electrical, Internet access, and storage facilities for the server. In most cases for colo, the client would have his own administrator visit the data center on site to do any hardware upgrades or changes. Formerly, many colocation providers would accept any system configuration for hosting, even ones housed in desktop-style minitower cases, but most hosts now require rack mount enclosures and standard system configurations.
Cloud hosting: is a new type of hosting platform that allows customers powerful, scalable and reliable hosting based on clustered load-balanced servers and utility billing. A cloud hosted website may be more reliable than alternatives since other computers in the cloud can compensate when a single piece of hardware goes down. Also, local power disruptions or even natural disasters are less problematic for cloud hosted sites, as cloud hosting is decentralized. Cloud hosting also allows providers to charge users only for resources consumed by the user, rather than a flat fee for the amount the user expects they will use, or a fixed cost upfront hardware investment. Alternatively, the lack of centralization may give users less control on where their data is located which could be a problem for users with data security or privacy concerns.
Clustered hosting: having multiple servers hosting the same content for better resource utilization. Clustered Servers are a perfect solution for high-availability dedicated hosting, or creating a scalable web hosting solution. A cluster may separate web serving from database hosting capability. (Usually Web hosts use Clustered Hosting for their Shared hosting plans, as there are multiple benefits to the mass managing of clients).
Grid hosting: this form of distributed hosting is when a server cluster acts like a grid and is composed of multiple nodes.
Home server: usually a single machine placed in a private residence can be used to host one or more web sites from a usually consumer-grade broadbandconnection. These can be purpose-built machines or more commonly old PCs. Some ISPs actively attempt to block home servers by disallowing incoming requests to TCP port 80 of the user's connection and by refusing to provide static IP addresses. A common way to attain a reliable DNS host name is by creating an account with a dynamic DNS service. A dynamic DNS service will automatically change the IP address that a URL points to when the IP address changes.
SQL injection is a code
injection technique, used to attack data driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g.
to dump the database contents to the attacker).SQL injection must exploit a security vulnerability in an application's
software, for example, when user input is either incorrectly filtered for string
literalescape characters embedded in SQL statements or user
input is not strongly typed and
unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack
any type of SQL database.
-->
Incorrectly filtered escape characters
This form of
SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL
statement. This results in the potential manipulation of the statements
performed on the database by the end-user of the application.
The following
line of code illustrates this vulnerability:
statement = "SELECT * FROM users WHERE name = '"
+ userName + "';"
This SQL code
is designed to pull up the records of the specified username from its table of
users. However, if the "userName" variable is crafted in a specific
way by a malicious user, the SQL statement may do more than the code author
intended. For example, setting the "userName" variable as:
' or '1'='1
or using
comments to even block the rest of the query (there are three types of SQL
comments):
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
renders one of
the following SQL statements by the parent language:
SELECT * FROM users WHERE name = '' OR '1'='1';
SELECT * FROM users WHERE name = '' OR '1'='1' -- ';
If this code
were to be used in an authentication procedure then this example could be used
to force the selection of a valid username because the evaluation of '1'='1' is
always true.
The following
value of "userName" in the statement below would cause the deletion
of the "users" table as well as the selection of all data from the
"userinfo" table (in essence revealing the information of every
user), using an API that allows multiple statements:
a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' =
't
This input
renders the final SQL statement as follows and specified:
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT
* FROM userinfo WHERE 't' = 't';
While most SQL
server implementations allow multiple statements to be executed with one call
in this way, some SQL APIs such as PHP's mysql_query(); function do not allow this for
security reasons. This prevents attackers from injecting entirely separate
queries, but doesn't stop them from modifying queries.
Incorrect type handling
This form of
SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a
numeric field is to be used in a SQL statement, but the programmer makes no
checks to validate that the user supplied input is numeric. For example:
statement := "SELECT * FROM userinfo WHERE id =
" + a_variable + ";"
It is clear
from this statement that the author intended a_variable to be a number
correlating to the "id" field. However, if it is in fact a string
then the end-user may manipulate the statement as they
choose, thereby bypassing the need for escape characters. For example, setting
a_variable to
1;DROP TABLE users
will drop
(delete) the "users" table from the database, since the SQL becomes:
SELECT * FROM userinfo WHERE id=1;DROP TABLE users;
Blind SQL injection
Blind SQL
Injection is used when a web application is vulnerable to an SQL injection but
the results of the injection are not visible to the attacker. The page with the
vulnerability may not be one that displays data but will display differently
depending on the results of a logical statement injected into the legitimate
SQL statement called for that page. This type of attack can become
time-intensive because a new statement must be crafted for each bit recovered.
There are several tools that can automate these attacks once the location of
the vulnerability and the target information has been established.
Conditional responses
One type of
blind SQL injection forces the database to evaluate a logical statement on an
ordinary application screen. As an example, a book review website uses a query string to determine which book review to
display. So the URLhttp://books.example.com/showReview.php?ID=5 would cause the server to run the
query
SELECT * FROM bookreviews WHERE ID = '5';
from which it
would populate the review page with data from the review with ID 5, stored in the table bookreviews.
The query happens completely on the server; the user does not know the names of
the database, table, or fields, nor does the user know the query string. The
user only sees that the above URL returns a book review. A hacker
can load the URLs http://books.example.com/showReview.php?ID=5 AND 1=1 and http://books.example.com/showReview.php?ID=5 AND 1=2, which may result in queries
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='2';
respectively.
If the original review loads with the "1=1" URL and a blank or error
page is returned from the "1=2" URL, the site is likely vulnerable to
a SQL injection attack. The hacker may proceed with this query string designed
to reveal the version number of MySQL running on the server: http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4, which would show the book review on a
server running MySQL 4 and a blank or error page otherwise. The hacker can
continue to use code within query strings to glean more information from the
server until another avenue of attack is discovered or his or her goals are
achieved.
Mitigation
Parameterized statements
With most
development platforms, parameterized statements that work with parameters can
be used (sometimes called placeholders or bind variables) instead of embedding user input
in the statement. A placeholder can only store a value of the given type and
not an arbitrary SQL fragment. Hence the SQL injection would simply be treated
as a strange (and probably invalid) parameter value.
In many cases,
the SQL statement is fixed, and each parameter is a scalar, not a table. The user
input is then assigned (bound) to a parameter.
Enforcement at the coding level
Using object-relational
mapping libraries avoids the need to write SQL code. The ORM library
in effect will generate parameterized SQL statements from object-oriented code.
Escaping
A
straightforward, though error-prone, way to prevent injections is to escape
characters that have a special meaning in SQL. The manual for an SQL DBMS
explains which characters have a special meaning, which allows creating a
comprehensive blacklist of
characters that need translation. For instance, every occurrence of a single
quote (') in a
parameter must be replaced by two single quotes ('') to form a valid SQL string literal. For example, in PHP
it is usual to escape parameters using the function mysql_real_escape_string(); before sending the SQL query:
$query = sprintf("SELECT * FROM `Users` WHERE
UserName='%s' AND Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
This function,
i.e. mysql_real_escape_string(), calls MySQL's library function
mysql_real_escape_string, which prepends backslashes to the following
characters: \x00, \n, \r, \, ', " and \x1a. This function must always
(with few exceptions) be used to make data safe before sending a query to MySQL.
There are other functions for many database types in PHP such as
pg_escape_string() for PostgreSQL. There is,
however, one function that works for escaping characters, and is used
especially for querying on databases that do not have escaping functions in
PHP. This function is: addslashes(string $str ). It returns a string
with backslashes before characters that need to be quoted in database queries,
etc. These characters are single quote ('), double quote ("), backslash
(\) and NUL (the NULL byte).
Routinely passing escaped strings to SQL is error prone because it is easy to
forget to escape a given string. Creating a transparent layer to secure the
input can reduce this error-proneness, if not entirely eliminate it.
Pattern check
Integer, float
or boolean parameters can be checked if their value is valid representation for
the given type. Strings that must follow some strict pattern (date, UUID,
alphanumeric only, etc.) can be checked if they match this pattern.
Database permissions
Limiting the
permissions on the database logon used by the web application to only what is
needed may help reduce the effectiveness of any SQL injection attacks that
exploit any bugs in the web application.
For example on
SQL server, a database logon could be restricted from selecting on some of the
system tables which would limit exploits that try to insert JavaScript into all
the text columns in the database.
deny SELECT ON sys.sysobjects TO webdatabaselogon;
