Bagaimana mencegah SQL Injection dengan berpikir sebagai seorang attacker yang melakukan serangan. SQL Injection akan dilakukan pada lingkungan simulasi yang legal yaitu abwh.rioastamal.net
Oracle Database features every developer should know aboutgvenzl
This presentation highlights some Oracle Database features that make developers more productive when using Oracle Database. The slide deck does only contain a sample of many useful developer features inside the Oracle Database. Developers should always refer to the Oracle Database Development Guide (https://docs.oracle.com/en/database/oracle/oracle-database/18/adfns/index.html)
This slide deck what co-produced with https://twitter.com/sqlmaria
Oracle Database features every developer should know aboutgvenzl
This presentation highlights some Oracle Database features that make developers more productive when using Oracle Database. The slide deck does only contain a sample of many useful developer features inside the Oracle Database. Developers should always refer to the Oracle Database Development Guide (https://docs.oracle.com/en/database/oracle/oracle-database/18/adfns/index.html)
This slide deck what co-produced with https://twitter.com/sqlmaria
MySQL 8.0 is the latest Generally Available version of MySQL. Discover the new Document Store, using SQL and NoSQL (js, python, CRUD, etc.) with the same database, Data Dictionary, Invisible Indexes, the new default UTF8MB4 charset (for emojis), Windows Functions, Common Table Expressions, and so much more.
https://www.learntek.org/blog/mysql-python/
https://www.learntek.org/
Learntek is global online training provider on Big Data Analytics, Hadoop, Machine Learning, Deep Learning, IOT, AI, Cloud Technology, DEVOPS, Digital Marketing and other IT and Management courses.
https://www.learntek.org/blog/mysql-python/
https://www.learntek.org/
Learntek is global online training provider on Big Data Analytics, Hadoop, Machine Learning, Deep Learning, IOT, AI, Cloud Technology, DEVOPS, Digital Marketing and other IT and Management courses.
SQL provides powerful but reasonably simple tools for data analysis and handling. Mike McClellan, the Senior Product Manager for Paddle8, took beginners through the basics of SQL. He talked about the SQL queries needed to collect data from a database, even if it lives in different places and analyze it to find the answers you’re looking for.
He taught the understanding of essential SQL skills that allow developers to write queries against single and multiple tables, manipulate data in tables, and create database objects.
The vJUG talk about jOOQ: Get Back in Control of Your SQLLukas Eder
jOOQ: Get Back in Control of Your SQL
SQL is a powerful and highly expressive language for queries against relational databases. SQL is established, standardised and hardly challenged by alternative querying languages. Nonetheless, in the Java ecosystem, there had been few relevant steps forward since JDBC to better integrate SQL into Java. All attention was given to object-relational mapping and language abstractions on a higher level, such as OQL, HQL, JPQL, CriteriaQuery. In the meantime, these abstractions have become almost as complex as SQL itself, regardless of the headaches they're giving to DBAs who can no longer patch the generated SQL.
jOOQ is a dual-licensed Open Source product filling this gap. It implements SQL itself as an internal domain-specific language in Java, allowing for the typesafe construction and execution of SQL statements of arbitrary complexity. This includes nested selects, derived tables, joins, semi-joins, anti-joins, self-joins, aliasing, as well as many vendor-specific extensions such as stored procedures, arrays, user-defined types, recursive SQL, grouping sets, pivot tables, window functions and many other OLAP features. jOOQ also includes a source code generator allowing you to compile queries in modern IDEs such as Eclipse very efficiently.
jOOQ is a good choice in a Java application where SQL and the specific relational database are important. It is an alternative when JPA / Hibernate abstract too much, JDBC too little. It shows, how a modern domain-specific language can greatly increase developer productivity, internalising SQL into Java.
In this first of a series of presentations, we'll overview the differences between SQL and PL/SQL, and the first steps in optimization, as understanding RULE vs. COST, and how to slash 90% response time in data extractions running in SQL*Plus.
MySQL 8.0 is the latest Generally Available version of MySQL. Discover the new Document Store, using SQL and NoSQL (js, python, CRUD, etc.) with the same database, Data Dictionary, Invisible Indexes, the new default UTF8MB4 charset (for emojis), Windows Functions, Common Table Expressions, and so much more.
https://www.learntek.org/blog/mysql-python/
https://www.learntek.org/
Learntek is global online training provider on Big Data Analytics, Hadoop, Machine Learning, Deep Learning, IOT, AI, Cloud Technology, DEVOPS, Digital Marketing and other IT and Management courses.
https://www.learntek.org/blog/mysql-python/
https://www.learntek.org/
Learntek is global online training provider on Big Data Analytics, Hadoop, Machine Learning, Deep Learning, IOT, AI, Cloud Technology, DEVOPS, Digital Marketing and other IT and Management courses.
SQL provides powerful but reasonably simple tools for data analysis and handling. Mike McClellan, the Senior Product Manager for Paddle8, took beginners through the basics of SQL. He talked about the SQL queries needed to collect data from a database, even if it lives in different places and analyze it to find the answers you’re looking for.
He taught the understanding of essential SQL skills that allow developers to write queries against single and multiple tables, manipulate data in tables, and create database objects.
The vJUG talk about jOOQ: Get Back in Control of Your SQLLukas Eder
jOOQ: Get Back in Control of Your SQL
SQL is a powerful and highly expressive language for queries against relational databases. SQL is established, standardised and hardly challenged by alternative querying languages. Nonetheless, in the Java ecosystem, there had been few relevant steps forward since JDBC to better integrate SQL into Java. All attention was given to object-relational mapping and language abstractions on a higher level, such as OQL, HQL, JPQL, CriteriaQuery. In the meantime, these abstractions have become almost as complex as SQL itself, regardless of the headaches they're giving to DBAs who can no longer patch the generated SQL.
jOOQ is a dual-licensed Open Source product filling this gap. It implements SQL itself as an internal domain-specific language in Java, allowing for the typesafe construction and execution of SQL statements of arbitrary complexity. This includes nested selects, derived tables, joins, semi-joins, anti-joins, self-joins, aliasing, as well as many vendor-specific extensions such as stored procedures, arrays, user-defined types, recursive SQL, grouping sets, pivot tables, window functions and many other OLAP features. jOOQ also includes a source code generator allowing you to compile queries in modern IDEs such as Eclipse very efficiently.
jOOQ is a good choice in a Java application where SQL and the specific relational database are important. It is an alternative when JPA / Hibernate abstract too much, JDBC too little. It shows, how a modern domain-specific language can greatly increase developer productivity, internalising SQL into Java.
In this first of a series of presentations, we'll overview the differences between SQL and PL/SQL, and the first steps in optimization, as understanding RULE vs. COST, and how to slash 90% response time in data extractions running in SQL*Plus.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
1. SQL NJECT ON
BELAJAR MENGHINDARI
MELALUI SIMULASI
RIO ASTAMAL
02 Februari 2021 19:00
Founder BelajarAWS.com
PHPID-OL#52
2. DISCLAIMER
MATERI DALAM PRESENTASI INI HANYA DITUJUKAN UNTUK MENINGKATKAN
PENGETAHUAN TENTANG KEAMANAN WEB. SEGALA BENTUK
PENYALAHGUNAAN AKSI AKIBAT DARI INFORMASI YANG ADA PADA MATERI
INI BUKANLAH TANGGUNG JAWAB PEMATERI/PENYELENGGARA.
WEB SIMULASI HACKING YANG DIGUNAKAN ADALAH ABWH.RIOASTAMAL.NET
MILIK DARI RIO ASTAMAL DAN WEBSITE TERSEBUT MEMANG DIDESAIN
SEBAGAI LINGKUNGAN LEGAL UNTUK MENCOBA WEB HACKING.
3. RIO ASTAMAL
2020 Writer TeknoCerdas.com (ID)*
2017 Lead Backend @ClearView.team (US)
2016 Founder BelajarAWS.com (ID)*
2015 Lead Dev @DominoPOS (SG)
2014 System Engineer @WowRack (US/ID)
2004 Freelance Web Developer
*) Masih aktif hingga sekarang
4. APA YANG DIPELAJARI?
+ Pengertian SQL Injection
+ Kenapa SQL Injection bisa terjadi
+ Contoh SQL Injection
+ Mencegah SQL Injection
+ Simulasi web hacking menggunakan
teknik Blind SQL Injection pada
RM6 abwh.rioastamal.net
beginner - intermediate
6. SQL INJECTION
TEKNIK PENYERANGAN YANG MEMASUKKAN ATAU “MENGINJEKSI”
PERINTAH KE SEBUAH QUERY SQL YANG DIJALANKAN OLEH APLIKASI
TARGET.
SERANGAN SQL INJECTION YANG SUKSES DAPAT MEMBACA INFORMASI
SENSITIF* PADA DATABASE, BAHKAN MENGUBAH DATA ATAU DAPAT
MENGEKSEKUSI PERINTAH ADMINISTRATOR JIKA ROLE YANG DIDAPAT
SESUAI.
*) Password, Kartu Kredit, Info Pengguna atau lain-lain.
10. CONTOH
TAMPILKAN PRODUK BERDASARKAN KATEGORI
URL
http://example.com/products/?categori=X
SQL QUERY
SELECT * FROM `products` WHERE `catid`=‘X’ LIMIT 0,10
PARAMETER INJECTION
http://example.com/products/?categori='%20OR%201=1%23
SELECT * FROM `products` WHERE `catid`=‘‘ OR 1=1 #LIMIT 0,10
MENGHASILKAN SQL INJECTION
11. CONTOH TADI SEPERTINYA TIDAK TERLIHAT
BERBAHAYA!
OH BEGITU. MARI KITA COBA LAKUKAN DEMO
SQL INJECTION.
13. TUJUAN DARI REALISTIC MISSION 6
+ MENGGUNAKAN TEKNIK BLIND SQL INJECTION UNTUK MENGGALI
INFORMASI DARI DATABASE
+ MENGUJI PEMAHAMAN PENGGUNAAN KLAUSA “UNION” UNTUK
MENGGABUNGKAN HASIL QUERY PADA SAAT INVESTIGASI
+ MENGUJI PEMAHAMAN TENTANG TABEL SPESIAL PADA MYSQL
YAITU “INFORMATION_SCHEMA”
14. BLIND SQL INJECTION
SERANGAN SQL INJECTION YANG MENGANDALKAN RESPONSE TRUE/
FALSE DARI APLIKASI.
ATTACKER AKAN MENCOBA MELAKUKAN SQL INJECTION PADA
HALAMAN TARGET DENGAN MENGIRIM PARAMETER TERTENTU
UNTUK MELIHAT HASILNYA.
DARI MANA KITA TAHU HASILNYA TRUE ATAU FALSE?
15. CONTOH BLIND SQL INJECTION
http://example.com/products/?categori=X
SQL QUERY NORMAL
SELECT * FROM `products` WHERE CatID=‘X’ LIMIT 0,10
SQL INJECTION DENGAN TARGET TRUE
http://example.com/products/?categori=X'%20AND%201=1%23
SELECT * FROM `products` WHERE CatID=‘X’ AND 1=1 #LIMIT 0,10
MENGHASILKAN QUERY
SQL INJECTION DENGAN TARGET FALSE
http://example.com/products/?categori=X'%20AND%201=2%23
SELECT * FROM `products` WHERE CatID=‘X’ AND 1=2 #LIMIT 0,10
MENGHASILKAN QUERY
16. PERINTAH UNION PADA SQL
MENGGABUNGKAN HASIL DARI SATU ATAU LEBIH STATEMENT SELECT.
JUMLAH KOLOM DARI MASING-MASING SELECT STATEMENT HARUS SAMA.
SELECT Website, Owner FROM websites;
+-----------------+-------------+
| Website | Owner |
+-----------------+-------------+
| BelajarAWS.com | Rio Astamal |
| TeknoCerdas.com | Rio Astamal |
+-----------------+-------------+
SELECT Website, Owner FROM websites
UNION
SELECT 1, 2;
+-----------------+-------------+
| Website | Owner |
+-----------------+-------------+
| BelajarAWS.com | Rio Astamal |
| TeknoCerdas.com | Rio Astamal |
| 1 | 2 |
+-----------------+-------------+
17. TABEL INFORMATION_SCHEMA
TABEL YANG BERISI METADATA DARI DATABASE PADA MYSQL
SEPERTI NAMA TABEL DAN KOLOM.
SELECT TABLE_NAME,TABLE_TYPE FROM
INFORMATION_SCHEMA.TABLES;
+-----------------+-------------+
| TABLE_NAME | TABLE_TYPE |
+-----------------+-------------+
| table_abc | BASE_TABLE |
| table_xyz | BASE_TABLE |
+-----------------+-------------+
SELECT COLUMN_NAME,DATA_TYPE FROM
INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME=“table_abc”;
+-----------------+-------------+
| COLUMN_NAME | DATA_TYPE |
+-----------------+-------------+
| column_abc | VARCHAR |
| column_xyz | VARCHAR |
+-----------------+-------------+
19. #1 JANGAN PERNAH MEMPERCAYAI INPUT DARI USER
SELALU LAKUKAN SANITASI PADA INPUTAN DARI USER JIKA
MEMANG TERPAKSA MENGGUNAKAN RAW QUERY.
// Jika mengharap inputan berupa angka saja
$catId = (int)($someData); // atau
$catId = filter_var($someData, FILTER_VALIDATE_INT);
// Jika mengharap inputan alphanumeric
if (preg_match(‘/[^0-9A-Za-z]/‘, $someData) {
exit(1);
}
// Jika mengharap semua karakter maka escape atau quote
$someData = $pdo->quote($someData);
20. #2 SELALU GUNAKAN PREPARED STATEMENT
GUNAKAN PDO ATAU DRIVER YANG MENDUKUNG PREPARED STATEMENT
$catId = $_GET[‘cat’] ?? 0;
$query = ‘SELECT * FROM products WHERE categoryId = :id’
$stmt = $pdo->prepare($query);
$stmt->execute([‘:id’ => $catId]);
21. #3 GUNAKAN FRAMEWORK
FRAMEWORK UMUMNYA MENYEDIAKAN PUSTAKA ORM YANG OTOMATIS MELAKUKAN
SANITASI DAN HAL-HAL YANG DIPERLUKAN UNTUK MENGHINDARI SQL INJECTION.
// Laravel
$products = Product::where(‘CatId’, $catId)
->take(10)
->get();
22. #4 LAKUKAN CODE REVIEW BERKALA
CARA PALING EFEKTIF SEBENARNYA ADALAH PENCEGAHAN. YAITU DENGAN
MELAKUKAN CODE REVIEW BERKALA. KADANG DEVELOPER BERPENGALAMAN PUN
MELAKUKAN KESALAHAN ENTAH KARENA DIBURU WAKTU ATAU TERLUPA SEHINGGA
ASPEK SECURITY TERABAIKAN.
AKAN LEBIH BAIK LAGI JIKA DILAKUKAN INTERNAL PENETRATION TESTING SENDIRI
UNTUK MENGETAHUI CELAH KEAMANAN YANG ADA.
ATAU MENAMBAHKAN TOOLS PENTESTING SEPERTI SQLMAP PADA CI/CD PIPELINE.
$ git push master:pentesting