Preventing SQL PHP injection login attack

1. Restrict the form fields length to not more than 20 characters in the fields like username and password.

2. Verify if input the value is valid email or not, is numeric or not , valid date or not etc.

3. Use mysql_real_escape_string() function before sending the variable to the SQL query,
example

$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);

Secure and Audit Oracle 10g and 11g

Account security is a fundamental building block for securing database environments. In fact, according to the FBI, weak and default passwords were responsible for several recent high-profile data breaches.

Authored by database security expert Ron Ben Natan, Ph.D., “HOWTO Secure and Audit Oracle 10g and 11g” (CRC Press, 2009) is the definitive 454-page guide for security pros, DBAs and IT auditors.

Read More

Cracking MS SQL passwords

Elcomsoft’s tool called Advanced SQL Password Recovery can be used to change any SQL Server databases
protected by a password included in MS SQL Server 2000, 2005 and 2008. All you need is access to the master.mdf
file. SQL Server is optional.

All you do is load the program, you point to the master.mdf file and it’ll crack the passwords, as simple as that.
To protect against this patch your systems and keep your Windows file permissions in check.

Read More

Recovering from lost MySqL Password.

Try the following:

Login to your system as root and stop the mysql service.

# /etc/init.d/mysql stop

Output:

Stopping MySql database server: mysqld.

Start MySql server using the command below.

# mysqld_safe –skip-grant-tables &

Output:

[1] 1664
Starting mysqld daemon with databases from /var/lib/mysql
mysqld_safe[6012]: started

Connect to the mysql server using the mysql client.

# mysql -u root

Output:

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.15-Debian_1-log

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.