Saturday, August 25, 2007

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Abhishek Amralkar: TAFITI

Friday, August 24, 2007

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

TAFITI


What is Tafiti?

Tafiti, which means "do research" in Swahili.Tafiti uses both Microsoft Silverlight and Live Search to explore the intersection of richer experiences on the Web and the increasing specialization of search.

What is the shelf and how do I use it?

The shelf is located on the right side of the screen and provides a place to store associated search results, such as the things you want to retain from a particular query or set of queries. Multiple results of different types can be stored on the shelf. There are five shelves and the contents of a single shelf constitute a “stack”. You must be signed in to store items in the shelf from session to session.

* Putting things on the shelf - Search results can be dragged from the results pane to the shelf.
* Labeling a stack – hover over a particular shelf and click to type a label on the text box which appears.
* Seeing the contents of a stack – click on a particular stack (outside the label area) to see all the contents displayed in the Stack View.
* Delete individual items – hover over an item and click the red Remove button which will appear.
* Send a stack to someone else via email – click on the link at the top of the Stack view.
* Post a stack to your Windows Live Space - click on the link at the top of the Stack view.
* Clear a single stack on the shelf – click on the white X that appears when you hover over a particular stack.

Sunday, August 19, 2007

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

BOSS CHAMCHA ==== Successfull Employee & Useful Employee

The recent polls for the what kind of employees get success in the organisations.Some thoughts from employees :--

1.When I Take a long time to finish,
I am slow,
When my boss takes a long time,
he is thorough

2.When I don't do it,
I am lazy,
When my boss does not do it,
he is busy,


When I do something without being told,
I am trying to
be smart,
When my boss does the same,
he takes the initiative,

When I please my boss,
I am apple polishing,
When my boss pleases his boss,
he is cooperating,

When I make a mistake,
I' am an idiot.
When my boss makes a mistake,
he's only human.

When I am out of the office,
I am wondering around.
When my boss is out of the office,
he's on business.

When I am on a day off sick,
I am always sick.
When my boss is a day off sick,
he must be very ill.

When I apply for leave,
I must be going for an
interview
When my boss applies for leave,
it's because he's
overworked


Some of the personal experiences from the employees

When I do good,
my boss never remembers,
When I do wrong,
he never forgets



If u happen to be working in an Indian set up then u got to be a kadhchi as chamach is inadequate.



When boss is a chamcha, he does like chamchas. I feel a right boss will recognize talent and he can feel what is in other's khopdi. so be confident when putting your point across the table.



A board with following two clauses should be hanged on backside of boss's chair -
Clause No.1- Boss is always right.
Clause No.2- When you feel boss is wrong then refer to clause no.1



In a pvt. organization, one has to be one's boss' 'chamcha'. That's because he/she/they are the deciders of one's fate in the organization and beyond. All talk of bravado is plain bull-shit

A better option would be to either work for a govt. organization or be one's own employer (be an entrepreneur)



being a boss's chamcha is a perfect route to mask one\'s incompetency. YOu will fine boss's chamchas in every organization and in every department. These bunch of Idiots will stoop down to any level to appease their bosses and end up getting better ratings than most of the performers. In the process, organization suffers as the competent people leave the organization.



Yes, its decently called and kown as COMMUNICATION SKILLS.
A subordinate trying to please bosse's wife or children,running behind them with their belongings like a cooly and trying to show off as if it was a high profile job or taking tuitions for bosses kids.

While some would serivce their boses wife or daughters or sons ina bedroom too.



If any one think that the remuneration and perks which he is geting will not get at other place (where he work) then he will involved himself in maska polish. In most companies, Industries and institutions maska polish officers are available in huge scale.

-- Sanjay Malik

I dont think so some one would require chamchagiri just to impress your boss. if you honestly looking to get impressed infront of the boss be honest n trust our self first. things will come later to the line.



SOmeone asked me why few people stick to a organisation -- its because they know 'Chamchagiri' In out culture its bad but in other culture it is accpeted quite well. It has been seen that chamchas rise in the organisation very fast and they are more successful rest all have to apck their bags and move... hardwork helps you securing the job and postion but its the chamchagiri that helps in moving ahead..hard work chamcha = Succesful employee.


What do you think -- is it necessary to be your boss' chamcha in order to forge a successful career? Share your experiences and advice with us right here!

SQL INJECTION

SQL Injection



SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'";

The user is prompted to enter the name of a city. If she enters Redmond, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond'

However, assume that the user enters the following:

Redmond'; drop table OrdersTable--

In this case, the following query is assembled by the script:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond';drop table OrdersTable--'

The semicolon (;) denotes the end of one query and the start of another. The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in OrdersTable where ShipCity is Redmond. Then, SQL Server will drop OrdersTable.

As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. Therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using. Coding best practices are described in the following sections in this topic.
Validate All InputValidate All Input

Always validate user input by testing type, length, format, and range. When you are implementing precautions against malicious input, consider the architecture and deployment scenarios of your application. Remember that programs designed to run in a secure environment can be copied to an insecure environment. The following suggestions should be considered best practices:

* Make no assumptions about the size, type, or content of the data that is received by your application. For example, you should make the following evaluation:
o How will your application behave if an errant or malicious user enters a 10-megabyte MPEG file where your application expects a postal code?
o How will your application behave if a DROP TABLE statement is embedded in a text field?
* Test the size and data type of input and enforce appropriate limits. This can help prevent deliberate buffer overruns.
* Test the content of string variables and accept only expected values. Reject entries that contain binary data, escape sequences, and comment characters. This can help prevent script injection and can protect against some buffer overrun exploits.
* When you are working with XML documents, validate all data against its schema as it is entered.
* Never build Transact-SQL statements directly from user input.
* Use stored procedures to validate user input.
* In multitiered environments, all data should be validated before admission to the trusted zone. Data that does not pass the validation process should be rejected and an error should be returned to the previous tier.
* Implement multiple layers of validation. Precautions you take against casually malicious users may be ineffective against determined attackers. A better practice is to validate input in the user interface and at all subsequent points where it crosses a trust boundary.
For example, data validation in a client-side application may prevent simple script injection. However, if the next tier assumes that its input has already been validated, any malicious user that is capable of bypassing a client can have unrestricted access to a system.
* Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection.
* Do not accept the following strings in fields from which file names can be constructed: AUX, CLOCK$, COM1 through COM8, CON, CONFIG$, LPT1 through LPT8, NUL, and PRN.

When you can, reject input that contains the following characters.
Input character Meaning in Transact-SQL

;


Query delimiter.

'


Character data string delimiter.

--


Comment delimiter.

/* ... */


Comment delimiters. Text between /* and */ is not evaluated by the server.

xp_


Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.
Use Type-Safe SQL Parameters

The Parameters collection in SQL Server provides type checking and length validation. If you use the Parameters collection, input is treated as a literal value instead of as executable code. An additional benefit of using the Parameters collection is that you can enforce type and length checks. Values outside the range will trigger an exception. The following code fragment shows using the Parameters collection:

SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
parm.Value = Login.Text;

In this example, the @au_id parameter is treated as a literal value instead of as executable code. This value is checked for type and length. If the value of @au_id does not comply with the specified type and length constraints, an exception will be thrown.
Use Parameterized Input with Stored Procedures

Stored procedures may be susceptible to SQL injection if they use unfiltered input. For example, the following code is vulnerable:

SqlDataAdapter myCommand =
new SqlDataAdapter("LoginStoredProcedure '" +
Login.Text + "'", conn);

If you use stored procedures, you should use parameters as their input.
Use the Parameters Collection with Dynamic SQL

If you cannot use stored procedures, you can still use parameters, as shown in the following code example:

SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", conn);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
Parm.Value = Login.Text;

Filtering Input

Filtering input may also be helpful in protecting against SQL injection by removing escape characters. However, because of the large number of characters that may pose problems, this is not a reliable defense. The following example searches for the character string delimiter.

private string SafeSqlLiteral(string inputSQL)
{
return inputSQL.Replace("'", "''");
}

LIKE Clauses

Note that if you are using a LIKE clause, wildcard characters still must be escaped:

s = s.Replace("[", "[[]");
s = s.Replace("%", "[%]");
s = s.Replace("_", "[_]");

Reviewing Code for SQL InjectionReviewing Code for SQL Injection

You should review all code that calls EXECUTE, EXEC, or sp_executesql. You can use queries similar to the following to help you identify procedures that contain these statements.

SELECT object_Name(id) FROM syscomments

WHERE UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%SP_EXECUTESQL%'
Wrapping Parameters with QUOTENAME() and REPLACE()

In each selected stored procedure, verify that all variables that are used in dynamic Transact-SQL are handled correctly. Data that comes from the input parameters of the stored procedure or that is read from a table should be wrapped in QUOTENAME() or REPLACE(). Remember that the value of @variable that is passed to QUOTENAME() is of sysname, and has a maximum length of 128 characters.
@variable Recommended wrapper

Name of a securable


QUOTENAME(@variable)

String of ≤ 128 characters


QUOTENAME(@variable, '''')

String of > 128 characters


REPLACE(@variable,'''', '''''')

When you use this technique, a SET statement can be revised as follows:

--Before:

SET @temp = N'select * from authors where au_lname='''

+ @au_lname + N''''

--After:

SET @temp = N'select * from authors where au_lname='''

+ REPLACE(@au_lname,'''','''''') + N''''
Injection Enabled by Data Truncation

Any dynamic Transact-SQL that is assigned to a variable will be truncated if it is larger than the buffer allocated for that variable. An attacker who is able to force statement truncation by passing unexpectedly long strings to a stored procedure can manipulate the result. For example, the stored procedure that is created by the following script is vulnerable to injection enabled by truncation.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variable.

-- Note that the buffer here is only 200 characters long.

DECLARE @command varchar(200)

-- Construct the dynamic Transact-SQL.

-- In the following statement, we need a total of 154 characters

-- to set the password of 'sa'.

-- 26 for UPDATE statement, 16 for WHERE clause, 4 for 'sa', and 2 for

-- quotation marks surrounded by QUOTENAME(@loginname):

-- 200 – 26 – 16 – 4 – 2 = 154.

-- But because @new is declared as a sysname, this variable can only hold

-- 128 characters.

-- We can overcome this by passing some single quotation marks in @new.

SET @command= 'update Users set password=' + QUOTENAME(@new, '''') + ' where username=' + QUOTENAME(@loginname, '''') + ' AND password = ' + QUOTENAME(@old, '''')

-- Execute the command.

EXEC (@command)

GO

By passing 154 characters into a 128 character buffer, an attacker can set a new password for sa without knowing the old password.

EXEC sp_MySetPassword 'sa', 'dummy', '123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012'''''''''''''''''''''''''''''''''''''''''''''''''''

For this reason, you should use a large buffer for a command variable or directly execute the dynamic Transact-SQL inside the EXECUTE statement.
Truncation When QUOTENAME(@variable, '''') and REPLACE() Are Used

Strings that are returned by QUOTENAME() and REPLACE() will be silently truncated if they exceed the space that is allocated. The stored procedure that is created in the following example shows what can happen.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, the data stored in temp variables

-- will be truncated because the buffer size of @login, @oldpassword,

-- and @newpassword is only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

SET @login = QUOTENAME(@loginname, '''')

SET @oldpassword = QUOTENAME(@old, '''')

SET @newpassword = QUOTENAME(@new, '''')

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, then @newpassword will be '123... n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated,

-- it can be made to look like the following statement:

-- UPDATE Users SET password ='1234. . .[127] WHERE username=' -- other stuff here

SET @command = 'UPDATE Users set password = ' + @newpassword

+ ' where username =' + @login + ' AND password = ' + @oldpassword;

-- Execute the command.

EXEC (@command)

GO

Therefore, the following statement will set the passwords of all users to the value that was passed in the previous code.

EXEC sp_MyProc '--', 'dummy', '12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678'

You can force string truncation by exceeding the allocated buffer space when you use REPLACE(). The stored procedure that is created in the following example shows what can happen.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, data will be truncated because

-- the buffers allocated for @login, @oldpassword and @newpassword

-- can hold only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

SET @login = REPLACE(@loginname, '''', '''''')

SET @oldpassword = REPLACE(@old, '''', '''''')

SET @newpassword = REPLACE(@new, '''', '''''')

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, @newpassword will be '123...n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated, it

-- can be made to look like the following statement:

-- UPDATE Users SET password='1234…[127] WHERE username=' -- other stuff here

SET @command= 'update Users set password = ''' + @newpassword + ''' where username='''

+ @login + ''' AND password = ''' + @oldpassword + '''';

-- Execute the command.

EXEC (@command)

GO

As with QUOTENAME(), string truncation by REPLACE() can be avoided by declaring temporary variables that are large enough for all cases. When possible, you should call QUOTENAME() or REPLACE() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as follows. For @outbuffer = QUOTENAME(@input), the size of @outbuffer should be 2*(len(@input)+1). When you use REPLACE() and doubling quotation marks, as in the previous example, a buffer of 2*len(@input) is enough.

The following calculation covers all cases:

While len(@find_string) > 0, required buffer size =

round(len(@input)/len(@find_string),0) * len(@new_string)

+ (len(@input) % len(@find_string))
Truncation When QUOTENAME(@variable, ']') Is Used

Truncation can occur when the name of a SQL Server securable is passed to statements that use the form QUOTENAME(@variable, ']'). The following code shows this possibility.

CREATE PROCEDURE sp_MyProc

@schemaname sysname,

@tablename sysname,

AS

-- Declare a variable as sysname. The variable will be 128 characters.

-- But @objectname actually must accommodate 2*258+1 characters.

DECLARE @objectname sysname

SET @objectname = QUOTENAME(@schemaname)+'.'+ QUOTENAME(@tablename)

-- Do some operations.

GO

When you are concatenating values of type sysname, you should use temporary variables large enough to hold the maximum 128 characters per value. If possible, call QUOTENAME() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as explained in the previous section.

SQL INJECTION

SQL Injection



SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'";

The user is prompted to enter the name of a city. If she enters Redmond, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond'

However, assume that the user enters the following:

Redmond'; drop table OrdersTable--

In this case, the following query is assembled by the script:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond';drop table OrdersTable--'

The semicolon (;) denotes the end of one query and the start of another. The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in OrdersTable where ShipCity is Redmond. Then, SQL Server will drop OrdersTable.

As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. Therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using. Coding best practices are described in the following sections in this topic.
Validate All InputValidate All Input

Always validate user input by testing type, length, format, and range. When you are implementing precautions against malicious input, consider the architecture and deployment scenarios of your application. Remember that programs designed to run in a secure environment can be copied to an insecure environment. The following suggestions should be considered best practices:

* Make no assumptions about the size, type, or content of the data that is received by your application. For example, you should make the following evaluation:
o How will your application behave if an errant or malicious user enters a 10-megabyte MPEG file where your application expects a postal code?
o How will your application behave if a DROP TABLE statement is embedded in a text field?
* Test the size and data type of input and enforce appropriate limits. This can help prevent deliberate buffer overruns.
* Test the content of string variables and accept only expected values. Reject entries that contain binary data, escape sequences, and comment characters. This can help prevent script injection and can protect against some buffer overrun exploits.
* When you are working with XML documents, validate all data against its schema as it is entered.
* Never build Transact-SQL statements directly from user input.
* Use stored procedures to validate user input.
* In multitiered environments, all data should be validated before admission to the trusted zone. Data that does not pass the validation process should be rejected and an error should be returned to the previous tier.
* Implement multiple layers of validation. Precautions you take against casually malicious users may be ineffective against determined attackers. A better practice is to validate input in the user interface and at all subsequent points where it crosses a trust boundary.
For example, data validation in a client-side application may prevent simple script injection. However, if the next tier assumes that its input has already been validated, any malicious user that is capable of bypassing a client can have unrestricted access to a system.
* Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection.
* Do not accept the following strings in fields from which file names can be constructed: AUX, CLOCK$, COM1 through COM8, CON, CONFIG$, LPT1 through LPT8, NUL, and PRN.

When you can, reject input that contains the following characters.
Input character Meaning in Transact-SQL

;


Query delimiter.

'


Character data string delimiter.

--


Comment delimiter.

/* ... */


Comment delimiters. Text between /* and */ is not evaluated by the server.

xp_


Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.
Use Type-Safe SQL Parameters

The Parameters collection in SQL Server provides type checking and length validation. If you use the Parameters collection, input is treated as a literal value instead of as executable code. An additional benefit of using the Parameters collection is that you can enforce type and length checks. Values outside the range will trigger an exception. The following code fragment shows using the Parameters collection:

SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
parm.Value = Login.Text;

In this example, the @au_id parameter is treated as a literal value instead of as executable code. This value is checked for type and length. If the value of @au_id does not comply with the specified type and length constraints, an exception will be thrown.
Use Parameterized Input with Stored Procedures

Stored procedures may be susceptible to SQL injection if they use unfiltered input. For example, the following code is vulnerable:

SqlDataAdapter myCommand =
new SqlDataAdapter("LoginStoredProcedure '" +
Login.Text + "'", conn);

If you use stored procedures, you should use parameters as their input.
Use the Parameters Collection with Dynamic SQL

If you cannot use stored procedures, you can still use parameters, as shown in the following code example:

SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", conn);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
Parm.Value = Login.Text;

Filtering Input

Filtering input may also be helpful in protecting against SQL injection by removing escape characters. However, because of the large number of characters that may pose problems, this is not a reliable defense. The following example searches for the character string delimiter.

private string SafeSqlLiteral(string inputSQL)
{
return inputSQL.Replace("'", "''");
}

LIKE Clauses

Note that if you are using a LIKE clause, wildcard characters still must be escaped:

s = s.Replace("[", "[[]");
s = s.Replace("%", "[%]");
s = s.Replace("_", "[_]");

Reviewing Code for SQL InjectionReviewing Code for SQL Injection

You should review all code that calls EXECUTE, EXEC, or sp_executesql. You can use queries similar to the following to help you identify procedures that contain these statements.

SELECT object_Name(id) FROM syscomments

WHERE UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%SP_EXECUTESQL%'
Wrapping Parameters with QUOTENAME() and REPLACE()

In each selected stored procedure, verify that all variables that are used in dynamic Transact-SQL are handled correctly. Data that comes from the input parameters of the stored procedure or that is read from a table should be wrapped in QUOTENAME() or REPLACE(). Remember that the value of @variable that is passed to QUOTENAME() is of sysname, and has a maximum length of 128 characters.
@variable Recommended wrapper

Name of a securable


QUOTENAME(@variable)

String of ≤ 128 characters


QUOTENAME(@variable, '''')

String of > 128 characters


REPLACE(@variable,'''', '''''')

When you use this technique, a SET statement can be revised as follows:

--Before:

SET @temp = N'select * from authors where au_lname='''

+ @au_lname + N''''

--After:

SET @temp = N'select * from authors where au_lname='''

+ REPLACE(@au_lname,'''','''''') + N''''
Injection Enabled by Data Truncation

Any dynamic Transact-SQL that is assigned to a variable will be truncated if it is larger than the buffer allocated for that variable. An attacker who is able to force statement truncation by passing unexpectedly long strings to a stored procedure can manipulate the result. For example, the stored procedure that is created by the following script is vulnerable to injection enabled by truncation.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variable.

-- Note that the buffer here is only 200 characters long.

DECLARE @command varchar(200)

-- Construct the dynamic Transact-SQL.

-- In the following statement, we need a total of 154 characters

-- to set the password of 'sa'.

-- 26 for UPDATE statement, 16 for WHERE clause, 4 for 'sa', and 2 for

-- quotation marks surrounded by QUOTENAME(@loginname):

-- 200 – 26 – 16 – 4 – 2 = 154.

-- But because @new is declared as a sysname, this variable can only hold

-- 128 characters.

-- We can overcome this by passing some single quotation marks in @new.

SET @command= 'update Users set password=' + QUOTENAME(@new, '''') + ' where username=' + QUOTENAME(@loginname, '''') + ' AND password = ' + QUOTENAME(@old, '''')

-- Execute the command.

EXEC (@command)

GO

By passing 154 characters into a 128 character buffer, an attacker can set a new password for sa without knowing the old password.

EXEC sp_MySetPassword 'sa', 'dummy', '123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012'''''''''''''''''''''''''''''''''''''''''''''''''''

For this reason, you should use a large buffer for a command variable or directly execute the dynamic Transact-SQL inside the EXECUTE statement.
Truncation When QUOTENAME(@variable, '''') and REPLACE() Are Used

Strings that are returned by QUOTENAME() and REPLACE() will be silently truncated if they exceed the space that is allocated. The stored procedure that is created in the following example shows what can happen.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, the data stored in temp variables

-- will be truncated because the buffer size of @login, @oldpassword,

-- and @newpassword is only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

SET @login = QUOTENAME(@loginname, '''')

SET @oldpassword = QUOTENAME(@old, '''')

SET @newpassword = QUOTENAME(@new, '''')

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, then @newpassword will be '123... n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated,

-- it can be made to look like the following statement:

-- UPDATE Users SET password ='1234. . .[127] WHERE username=' -- other stuff here

SET @command = 'UPDATE Users set password = ' + @newpassword

+ ' where username =' + @login + ' AND password = ' + @oldpassword;

-- Execute the command.

EXEC (@command)

GO

Therefore, the following statement will set the passwords of all users to the value that was passed in the previous code.

EXEC sp_MyProc '--', 'dummy', '12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678'

You can force string truncation by exceeding the allocated buffer space when you use REPLACE(). The stored procedure that is created in the following example shows what can happen.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, data will be truncated because

-- the buffers allocated for @login, @oldpassword and @newpassword

-- can hold only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

SET @login = REPLACE(@loginname, '''', '''''')

SET @oldpassword = REPLACE(@old, '''', '''''')

SET @newpassword = REPLACE(@new, '''', '''''')

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, @newpassword will be '123...n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated, it

-- can be made to look like the following statement:

-- UPDATE Users SET password='1234…[127] WHERE username=' -- other stuff here

SET @command= 'update Users set password = ''' + @newpassword + ''' where username='''

+ @login + ''' AND password = ''' + @oldpassword + '''';

-- Execute the command.

EXEC (@command)

GO

As with QUOTENAME(), string truncation by REPLACE() can be avoided by declaring temporary variables that are large enough for all cases. When possible, you should call QUOTENAME() or REPLACE() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as follows. For @outbuffer = QUOTENAME(@input), the size of @outbuffer should be 2*(len(@input)+1). When you use REPLACE() and doubling quotation marks, as in the previous example, a buffer of 2*len(@input) is enough.

The following calculation covers all cases:

While len(@find_string) > 0, required buffer size =

round(len(@input)/len(@find_string),0) * len(@new_string)

+ (len(@input) % len(@find_string))
Truncation When QUOTENAME(@variable, ']') Is Used

Truncation can occur when the name of a SQL Server securable is passed to statements that use the form QUOTENAME(@variable, ']'). The following code shows this possibility.

CREATE PROCEDURE sp_MyProc

@schemaname sysname,

@tablename sysname,

AS

-- Declare a variable as sysname. The variable will be 128 characters.

-- But @objectname actually must accommodate 2*258+1 characters.

DECLARE @objectname sysname

SET @objectname = QUOTENAME(@schemaname)+'.'+ QUOTENAME(@tablename)

-- Do some operations.

GO

When you are concatenating values of type sysname, you should use temporary variables large enough to hold the maximum 128 characters per value. If possible, call QUOTENAME() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as explained in the previous section.

SQL INJECTION

SQL Injection



SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'";

The user is prompted to enter the name of a city. If she enters Redmond, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond'

However, assume that the user enters the following:

Redmond'; drop table OrdersTable--

In this case, the following query is assembled by the script:

SELECT * FROM OrdersTable WHERE ShipCity = 'Redmond';drop table OrdersTable--'

The semicolon (;) denotes the end of one query and the start of another. The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in OrdersTable where ShipCity is Redmond. Then, SQL Server will drop OrdersTable.

As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. Therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using. Coding best practices are described in the following sections in this topic.
Validate All InputValidate All Input

Always validate user input by testing type, length, format, and range. When you are implementing precautions against malicious input, consider the architecture and deployment scenarios of your application. Remember that programs designed to run in a secure environment can be copied to an insecure environment. The following suggestions should be considered best practices:

* Make no assumptions about the size, type, or content of the data that is received by your application. For example, you should make the following evaluation:
o How will your application behave if an errant or malicious user enters a 10-megabyte MPEG file where your application expects a postal code?
o How will your application behave if a DROP TABLE statement is embedded in a text field?
* Test the size and data type of input and enforce appropriate limits. This can help prevent deliberate buffer overruns.
* Test the content of string variables and accept only expected values. Reject entries that contain binary data, escape sequences, and comment characters. This can help prevent script injection and can protect against some buffer overrun exploits.
* When you are working with XML documents, validate all data against its schema as it is entered.
* Never build Transact-SQL statements directly from user input.
* Use stored procedures to validate user input.
* In multitiered environments, all data should be validated before admission to the trusted zone. Data that does not pass the validation process should be rejected and an error should be returned to the previous tier.
* Implement multiple layers of validation. Precautions you take against casually malicious users may be ineffective against determined attackers. A better practice is to validate input in the user interface and at all subsequent points where it crosses a trust boundary.
For example, data validation in a client-side application may prevent simple script injection. However, if the next tier assumes that its input has already been validated, any malicious user that is capable of bypassing a client can have unrestricted access to a system.
* Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection.
* Do not accept the following strings in fields from which file names can be constructed: AUX, CLOCK$, COM1 through COM8, CON, CONFIG$, LPT1 through LPT8, NUL, and PRN.

When you can, reject input that contains the following characters.
Input character Meaning in Transact-SQL

;


Query delimiter.

'


Character data string delimiter.

--


Comment delimiter.

/* ... */


Comment delimiters. Text between /* and */ is not evaluated by the server.

xp_


Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.
Use Type-Safe SQL Parameters

The Parameters collection in SQL Server provides type checking and length validation. If you use the Parameters collection, input is treated as a literal value instead of as executable code. An additional benefit of using the Parameters collection is that you can enforce type and length checks. Values outside the range will trigger an exception. The following code fragment shows using the Parameters collection:

SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
parm.Value = Login.Text;

In this example, the @au_id parameter is treated as a literal value instead of as executable code. This value is checked for type and length. If the value of @au_id does not comply with the specified type and length constraints, an exception will be thrown.
Use Parameterized Input with Stored Procedures

Stored procedures may be susceptible to SQL injection if they use unfiltered input. For example, the following code is vulnerable:

SqlDataAdapter myCommand =
new SqlDataAdapter("LoginStoredProcedure '" +
Login.Text + "'", conn);

If you use stored procedures, you should use parameters as their input.
Use the Parameters Collection with Dynamic SQL

If you cannot use stored procedures, you can still use parameters, as shown in the following code example:

SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", conn);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
Parm.Value = Login.Text;

Filtering Input

Filtering input may also be helpful in protecting against SQL injection by removing escape characters. However, because of the large number of characters that may pose problems, this is not a reliable defense. The following example searches for the character string delimiter.

private string SafeSqlLiteral(string inputSQL)
{
return inputSQL.Replace("'", "''");
}

LIKE Clauses

Note that if you are using a LIKE clause, wildcard characters still must be escaped:

s = s.Replace("[", "[[]");
s = s.Replace("%", "[%]");
s = s.Replace("_", "[_]");

Reviewing Code for SQL InjectionReviewing Code for SQL Injection

You should review all code that calls EXECUTE, EXEC, or sp_executesql. You can use queries similar to the following to help you identify procedures that contain these statements.

SELECT object_Name(id) FROM syscomments

WHERE UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%SP_EXECUTESQL%'
Wrapping Parameters with QUOTENAME() and REPLACE()

In each selected stored procedure, verify that all variables that are used in dynamic Transact-SQL are handled correctly. Data that comes from the input parameters of the stored procedure or that is read from a table should be wrapped in QUOTENAME() or REPLACE(). Remember that the value of @variable that is passed to QUOTENAME() is of sysname, and has a maximum length of 128 characters.
@variable Recommended wrapper

Name of a securable


QUOTENAME(@variable)

String of ≤ 128 characters


QUOTENAME(@variable, '''')

String of > 128 characters


REPLACE(@variable,'''', '''''')

When you use this technique, a SET statement can be revised as follows:

--Before:

SET @temp = N'select * from authors where au_lname='''

+ @au_lname + N''''

--After:

SET @temp = N'select * from authors where au_lname='''

+ REPLACE(@au_lname,'''','''''') + N''''
Injection Enabled by Data Truncation

Any dynamic Transact-SQL that is assigned to a variable will be truncated if it is larger than the buffer allocated for that variable. An attacker who is able to force statement truncation by passing unexpectedly long strings to a stored procedure can manipulate the result. For example, the stored procedure that is created by the following script is vulnerable to injection enabled by truncation.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variable.

-- Note that the buffer here is only 200 characters long.

DECLARE @command varchar(200)

-- Construct the dynamic Transact-SQL.

-- In the following statement, we need a total of 154 characters

-- to set the password of 'sa'.

-- 26 for UPDATE statement, 16 for WHERE clause, 4 for 'sa', and 2 for

-- quotation marks surrounded by QUOTENAME(@loginname):

-- 200 – 26 – 16 – 4 – 2 = 154.

-- But because @new is declared as a sysname, this variable can only hold

-- 128 characters.

-- We can overcome this by passing some single quotation marks in @new.

SET @command= 'update Users set password=' + QUOTENAME(@new, '''') + ' where username=' + QUOTENAME(@loginname, '''') + ' AND password = ' + QUOTENAME(@old, '''')

-- Execute the command.

EXEC (@command)

GO

By passing 154 characters into a 128 character buffer, an attacker can set a new password for sa without knowing the old password.

EXEC sp_MySetPassword 'sa', 'dummy', '123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012'''''''''''''''''''''''''''''''''''''''''''''''''''

For this reason, you should use a large buffer for a command variable or directly execute the dynamic Transact-SQL inside the EXECUTE statement.
Truncation When QUOTENAME(@variable, '''') and REPLACE() Are Used

Strings that are returned by QUOTENAME() and REPLACE() will be silently truncated if they exceed the space that is allocated. The stored procedure that is created in the following example shows what can happen.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, the data stored in temp variables

-- will be truncated because the buffer size of @login, @oldpassword,

-- and @newpassword is only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

SET @login = QUOTENAME(@loginname, '''')

SET @oldpassword = QUOTENAME(@old, '''')

SET @newpassword = QUOTENAME(@new, '''')

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, then @newpassword will be '123... n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated,

-- it can be made to look like the following statement:

-- UPDATE Users SET password ='1234. . .[127] WHERE username=' -- other stuff here

SET @command = 'UPDATE Users set password = ' + @newpassword

+ ' where username =' + @login + ' AND password = ' + @oldpassword;

-- Execute the command.

EXEC (@command)

GO

Therefore, the following statement will set the passwords of all users to the value that was passed in the previous code.

EXEC sp_MyProc '--', 'dummy', '12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678'

You can force string truncation by exceeding the allocated buffer space when you use REPLACE(). The stored procedure that is created in the following example shows what can happen.

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, data will be truncated because

-- the buffers allocated for @login, @oldpassword and @newpassword

-- can hold only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

SET @login = REPLACE(@loginname, '''', '''''')

SET @oldpassword = REPLACE(@old, '''', '''''')

SET @newpassword = REPLACE(@new, '''', '''''')

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, @newpassword will be '123...n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated, it

-- can be made to look like the following statement:

-- UPDATE Users SET password='1234…[127] WHERE username=' -- other stuff here

SET @command= 'update Users set password = ''' + @newpassword + ''' where username='''

+ @login + ''' AND password = ''' + @oldpassword + '''';

-- Execute the command.

EXEC (@command)

GO

As with QUOTENAME(), string truncation by REPLACE() can be avoided by declaring temporary variables that are large enough for all cases. When possible, you should call QUOTENAME() or REPLACE() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as follows. For @outbuffer = QUOTENAME(@input), the size of @outbuffer should be 2*(len(@input)+1). When you use REPLACE() and doubling quotation marks, as in the previous example, a buffer of 2*len(@input) is enough.

The following calculation covers all cases:

While len(@find_string) > 0, required buffer size =

round(len(@input)/len(@find_string),0) * len(@new_string)

+ (len(@input) % len(@find_string))
Truncation When QUOTENAME(@variable, ']') Is Used

Truncation can occur when the name of a SQL Server securable is passed to statements that use the form QUOTENAME(@variable, ']'). The following code shows this possibility.

CREATE PROCEDURE sp_MyProc

@schemaname sysname,

@tablename sysname,

AS

-- Declare a variable as sysname. The variable will be 128 characters.

-- But @objectname actually must accommodate 2*258+1 characters.

DECLARE @objectname sysname

SET @objectname = QUOTENAME(@schemaname)+'.'+ QUOTENAME(@tablename)

-- Do some operations.

GO

When you are concatenating values of type sysname, you should use temporary variables large enough to hold the maximum 128 characters per value. If possible, call QUOTENAME() directly inside the dynamic Transact-SQL. Otherwise, you can calculate the required buffer size as explained in the previous section.