Encrypting and Decrypting passwords in SQL server


We have come across scenarios wherein highly sensitive information like passwords being stored in our database. It is a highly likely chance that during SQL Injection or unprecedented attacks, these table values gets exposed. I will explain here a simple means of encrypting, followed by decrypting the same password for user authentication. But let me remind you, that cracking this logic is easy. Also, if you are smart, you can write your own procedures to find the password from an encrypted on.

To Encypt a password, all you need to do is use the pwdencrypt(‘password’) method.

Check the example below:
Declare @x varbinary(255)
SET @x = pwdencrypt(‘AAAA’)
print @x

The output of the above query would be(will vary with you unique machine id):
0x010036D726AE86834E97F20B198ACD219D60B446AC5E48C54F30

However the decrypt is not as simple as encrypt. In fact there is no direct method to decrypt the password. Instead SQL Server provide a method to compare the password you passed with the encrypted password, using the pwdcompare(‘password passed’,encrypted password).

Check the example below:

select pwdcompare(‘AAAA’,0x01008C75C2236E7101F87898988A5AEEE995D4CDFD16A8C95ECD)

This query will return 1 or 0 depending on the equality of the password.

Javascript pause method: To create delays in javascripts


Creating delays in javascript can be very essential under certain specific scenarios, though i would recommend you to avoid it in most cases.

The right way to create a delay would be by using setTimeOut method in javascript, as below:

setTimeout(“alert(‘hello world’)”,1500); // shows alertbox after 1500 milliseconds

The lazy way or to be precise – the naughty way, can be obtained from the below function:

<html>
<head>
<title>Javascript Pause</title>

<script language=”javascript”>
function pausejs(millis)
{
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < millis);
}
</script>

</head>
<body>

<form>
               <input type=”button” value=”Push this button to pause the page scripts by 1500 milliseconds” onClick=”pausejs(1500);“>
</form>

</body>
</html>

Of course, this is a naughty equivalent to the pause method. But after all you can have a pause method in your javascript.

How to enable javascript in various browsers – help file


This is a help reference for those sites, which are javascript critical. You can use this in a page to which you redirect in your javascript disabled scenario.

Microsoft Internet Explorer
1. On the Tools dropdown menu, click Internet Options, and then click the Security tab.
2. Click on the earth «Internet» icon, and then the Custom Level button.
3. Scroll to the bottom of the Settings list, and locate the section named Scripting.
4. Under the subsection Active Scripting, click Enable. Click OK.
5. Answer Yes to the confirm box that pops up. Click OK.
6. Reload the page, by clicking the reload button or pressing F5 in the keyboard or select the url in the address bar and click enter key in the keyboard.

Firefox
1. Go to the «Edit» drop-down menu and click on «Preferences…».
2. In the «Category» list, click on «Advanced».
3. Click on «Scripts & Plugins».
3 Click the «Activate Javascript for» option, and then click okay.
4. Reload the page, by clicking the reload button or pressing F5 in the keyboard or select the url in the address bar and click enter key in the keyboard.

Netscape Navigator
1. Go to the «Edit» drop-down menu and click on «Preferences…».
2. In the «Category» list, click on «Advanced».
3 Click the «Enable Javascript for Navigator» option, and then click okay.
4. Reload the page, by clicking the reload button or pressing F5 in the keyboard or select the url in the address bar and click enter key in the keyboard.

Safari
1. Click the Settings (gear symbol) icon in the browser and go to “Preferences”. or press (Ctrl + ,) in your keyboard.
2. Go to the “Security” tab.
3. Check the “Enable Javascript” check box.
4. Close the popup window.
5. Reload the page, by clicking the reload button or pressing F5 in the keyboard or select the url in the address bar and click enter key in the keyboard.

You can use this content in the page, to which you redirect under noscript scenarios. Hope this helps.

Best PNG Fix for IE 6


PNG fix for IE6 has always been messier than expected. There has been lot of out of the box solutions available on the net. However, the best that worked for me was the “DD Belated PNG” fix.

It is a simple PNG fix specific for IE 6. I would recommend you to load it with an IE 6 specific check, as I found some issues with the script on IE8. So, getting back to the point, follow the steps below:

  • Download the DD_BelatedPNG.js file from here.
  • Register the script in your site as shown below:

<!–[if IE 6]>
<script src=”DD_belatedPNG.js”></script>
<script>
  /* EXAMPLE */
  DD_belatedPNG.fix(‘.png_bg’);
  
  /* string argument can be any CSS selector */
  /* .png_bg example is unnecessary */
  /* change it to what suits you! */
</script>
<![endif]–>

  • To know more about the possibilites and known issues, i would recommend you to go through this site.
  • You can use it over special css selectors too. For instance, you have a css selector as below:

ul#mainnav li#subnav a:hover { background: url(‘images/nav-hover.png’) no-repeat center center;}

In this case, you can do a png fix by calling the DD_belatedPNG fix statement below:

DD_belatedPNG.fix(‘li#subnav a:hover’); // for some reason, it is not accepting 3 levels of hierarchy.

 

This post is just a drop in the ocean. After a lot of thought process, i ended up using this PNG fix, which has been good to me. Take this as a reference, go through Drew Dillers site and get rid of the messy IE6 PNG issue.

Setting write permission to App_Data for a Godaddy hosted site


The “App_Data” is the folder where most of your site user data’s fall into. Hence in case of blogs or other site’s that permits user to upload images/videos/files, it would be essential to give write permissions to the “App_Data” folder.

Scenario:

  • You have a godaddy account.
  • You would like to give write permission to “App_Data” folder of the hosted site.

Solution:

  • Go to your hosted site control panel.
  • Select File Manager
  • Select the folder “App_Data” and set the file permissions.

Go through the screenshots below, they are self explanatory.

Beside the “eye” symbol, you will be able to find a “pen” symbol, indication a read and write permission on the “App_Data” folder.

Hope this post was useful!

SSRS: Making Excel the default export option for reportviewer


Most of us would always use the export to Excel in the report viewer (90% of the time), rather than having a ‘Select a format’ option in it.  I will be describing a simple method here to make the excel a default option for export in the report viewer.

One quick note: You can go to the rsreportserver.config file in “\Program Files\Microsoft SQL Server\MSRS10.DEV\Reporting Services\ReportServer” directory and move the Excel option to the top. Check the screenshot below:

Unfortunately, this will take the Excel to the top of the dropdown list options, but still the ‘select a format’ option will be the first option in the list. Check the screenshot below:

 

Now lets get back on track and see what the possible solution.

Problem: To set the Excel export as the default export option for the reportviewer on the load. Avoid resetting of dropdown options, after click of Export.

 Solution: Consider the two controls in the context, the dropdown and the Export Link. They are simple html controls that gets rendered on the page. Onload of the page, we will set the selected index to 1 or 3 (depending on the position of Excel option, remember the option count starts from 0). Then make the “Export” link onclick event to null. Register a new set of javascript for the onclick of the “Export” link.

The reason why to bother much about the click of export link button is due to the fact that it will reset the dropdowns “selectedIndex = 0” blindly, which we don’t want.

Let me take you through the steps clearly:

Step 1: In your aspx page, which has reportviewer being loaded, add the script tag at the end. By end, i mean after the reportviewer tag. Do check the id of the rendered controls and modify it accordingly.

       <rsweb:ReportViewer ID=”rpvMain” runat=”server” Font-Names=”Trebuchet MS, arial”
                 BackColor=”#FFFFFF” InternalBorderColor=”#CCCCCC” LinkDisabledColor=”Black” AsyncRendering=”true”
                ProcessingMode=”Remote” SizeToReportContent=”false” ShowPrintButton=”false” ShowFindControls=”false”
                Font-Size=”12px” Width=”970px” PromptAreaCollapsed=”false” Style=”text-align: left;display:inline;”>
      </rsweb:ReportViewer>

     <script language=”javascript” type=”text/javascript”>

        function triggerExport() {
            var formatDropDown = document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl00’);
            if (formatDropDown.selectedIndex == 0)
                return false;
            window.open(document.getElementById(‘ctl00_cphMain_rpvMain’).ClientController.m_exportUrlBase + encodeURIComponent(formatDropDown.value), ‘_blank’)
            formatDropDown.selectedIndex = 1; //Change this to the appropriate index of Excel in the dropdown
            document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl01’).Controller.SetViewerLinkActive(document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl00’).selectedIndex != 0); return false;
        }   

        if (document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl00’) != null) {
            document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl00’).selectedIndex = 1;//Change this to the appropriate index of Excel in the dropdown
            document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl01’).onclick = null;
            document.getElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl01’).onclick = triggerExport;        
   
        }
    </script>

 Step 2: Run the page and check it.

NB: You can make it browser compatible, but i found it of no use, as the SSRS has loads of issues with the other browsers. Also, if you see the click event and other javascripts used in the SSRS controls, they all use document.getElementById. 😦 Quite depressing I know.

If you wish to make the document.getElementById usage safe acrross other browsers, use the following function call in your code:       

function CustomGetElementById(elementId)
{
       return document.getElementById
        ? document.getElementById(elementId)
        : document.all
          ? document.all[elementId]
          : document.layers[elementId];
}

ex: CustomGetElementById(‘ctl00_cphMain_rpvMain_ctl01_ctl05_ctl01’).onclick = null;

If you wish to remove the ‘select a format‘ option you can now go ahead and do it. It would be just a small modification to the above functions. I leave that to you.

Hope this post was useful.

Enabling SSRS remote error


There are two ways to do this:

  • Using rs command
  • Setting the DB properties

Using the rs command:

Step 1: Save the following in a text file and save it as ‘EnableRemoteErrors.rss’.

Public Sub Main()
  Dim P As New [Property]()
  P.Name = “EnableRemoteErrors”
  P.Value = True
  Dim Properties(0) As [Property]
  Properties(0) = P
  Try
    rs.SetSystemProperties(Properties)
    Console.WriteLine(“Remote errors enabled.”)
  Catch SE As SoapException
    Console.WriteLine(SE.Detail.OuterXml)
  End Try
End Sub

Step 2: Now open the command prompt and point to the rss file location (Start -> Run -> Cmd)

Step 3: Now run the rss file using the rs command, as shown below:

rs -i EnableRemoteErrors.rss -s http://servername/ReportServer

[Replace the ‘ReportServer’ with your report server name]

 Setting the DB properties:

This option is simple and direct. Except for the fact that you need the Management Studio.

  1. Start Management Studio and connect to a report server instance.
  2. Right-click the report server node, and select Properties.
  3. Click Advanced to open the properties page.
  4. In EnableRemoteErrors, select True.
  5. Click OK.

Hope this was helpful