Wednesday, April 19, 2006

Creating Word Reports Dynamically

From a while, I faced a problem in creating MS Word reports in web-based applications. Actually, I have an intranet application and I want to give the system user the ability to generate dynamic reports and view it in Microsoft Word.

After searching, I found that it's just a matter of changing the content type of the HTTP response. For example, if you are using ASP, then all what you will do is to make your report as a normal ASP page, but you will changing the content type of the response object to "application/msword". You can use any HTML tags as you need in side the report. But try to keep away from using images in your generated report as you may deal with URLs - and this depend on the connectivity state of the user.

Here is a sample code writen in ASP:


'Creating MS Word Document Dynamically



Response.ContentType = "application/msword"


' Your
Dynamic Content Here


That is all!. It's so simple which is not expected! Actually, you can use this method in generating Excel documents as well.

For more details about creating dynamic MS Word documents, read the following article:

Also, for .NET guys, here is an article about generating MS Word reports in ASP.NET:

You may find some problems in displaying the report on the browser. For example, when you trying to call the URL of the code that generates the report, you may find a pop-up message asking if you want to save or open the document. To disable this dialoge from appearing, open the "Folder Opions" of your IE, then "File Types", find the "DOC" format, then click on "Advanced" Button. Then uncheck the "Confirm Open After Download". This will open the report directly after calling its scripting page. That is all!

Sunday, April 16, 2006

New Service In Alex. Bibliotheque Museum

The Museum of the Alexandria bibliotheque has created a new service for its visitors allowing them to explore the museum pieces-of-art using a handled PC.

The visitor simply enters the piece ID, and all the related information is viewed on his handled. After the visitor finishes his tour, he can send all the information - he got in his tour - to his email address.

Thursday, April 13, 2006

AJAX - The New Giant

AJAX – Asynchronuos Javascript And XML – is a new technique introduced recently to give more richness to web applications. AJAX is totally executed on the client machine. We can consider AJAX as a Java Applet – The Sun technology – in the main idea.

Web applications in general can be formalized as a “Request” and a corresponding “Response”. In other word, any web application is synchronous – a request and an acknowledge (response). This criteria makes web applications some how not rich in developing. Many functionalities done in desktop applications is not easy to be performed in web development.

For example, suppose you want to make a small dictionary that accept a word in English and return the equivalent in Arabic. If your decision is to make this application as web-based application, then you will have a web form which accept your word, after submition, your browser will perform a request. In meanwhile, the whole page will be refreshed to give you finally the equivalent word in Arabic!

As you see, for this simple proces, there is no need to refresh the whole page just to get the translation of one english word. Offcourse, you hope that your user can enter his english word and after submission, the results is shown in the same page without refreshing. The process simplicity, make this experience. This is what your user expect from the application.

In desktop application, a process like that is so easy. However, in web application, this is some how so hard to be done.

AJAX comes to solve such kind of problems in web development. AJAX act like a background component which can make small requests and get the response without the need to refresh the webpage. The same way the desktop applications act.

Actually, we can’t define AJAX as a new technology. AJAX is a group of technologies, grouped to solve a certain problem faced by web developers. AJAX uses XHTML (Extended Hyperlink Text Markup Language), CSS (Cascaded Style Sheets), DOM, ActiveX, XML and offcourse Javascript.

AJAX is supported now with many browsers such as Internet Explorer 5 or later, Netscape, Mozilla, Firefox and Opera. The technique also can be seen in many online applications like Gmail and GoogleMaps.

AJAX now can be used in .NET applications using ATLAS component – a release of AJAX for .NET technology.

AJAX is spreading now. And we have now a new effecive tool in building rich web applications. However, we need to change the way we think about the web.

Monday, April 10, 2006

SQL Injection - Part 2

In part 1, we discussed a simple methodology in using SQL injection to break a security point in web applications. Actually, this was the simplest way. As you know more about the generated errors of the different database engines, you will do better with SQL injection.

Some methods of SQL injection, depends on how you can inject some SQL statement in the page parameters, to gain usefull errors! .. So funny, aha! Actually, these errors gives you some usefull information about the inner structure of the victim database. This will help in making greater destruction!

One of the SQL injection methods is to concatenating "Having" statement in your query string. As we know, "Having" is used alwayes with "Group by" statement to inforce some condition on the grouping SQL statement. But if the "Having" is inserted in a sql statement without "Group By" we get a horrible error!

Suppose we have web page which displays products for a certain category. For example, our page url is something like that:

The previous url will get all the products of the category that have ID = 1. Now, lets playing with this url and make the following trick: having 1=1 --

When submitting the previous url, the resulting page will display an error like that:

Microsoft OLE DB Provider for SQL Server (0x80040E14)

'products.ID' is invalid in the select list because it is not contained in an
aggregate function and there is no GROUP BY clause.

/products.aspx, line 24
SQL Server tried to execute the following SQL statement after injecting our "Having":

select * from products where catID=1 having 1=1 --

As you see, we have "Having" without "Group By". And in a SQL statement with "Group By" and "Having", all the columns after "SELECT" should be in the "Group By" clause. So, the db engine didn't find the first column which is "products.ID" in the "Group By" clause and throw this error.

Actually, we got two usefull infomration from this later error. The table name - "Products" and a column on it - "ID" column.

Now, Try to add the "ID" column after a "Group By" clause in the url: Group By ID having 1=1 --

You get the following error:

Microsoft OLE DB Provider for SQL Server (0x80040E14)

'products.Name' is invalid in the select list because it is not contained in an
aggregate function and there is no GROUP BY clause.

/products.asp, line 24

You got the idea, aha! .. You have now another column name in the table. You just go on with this trick until you got all the table columns!

Suppose, now you discovered that the "Products" table contains only 3 columns "ID", "Name", and "Description". And on a way or another you got that the site users are stored in a table called "users". Well, try to make the following trick. Inject a UNION statement in your url so that, you view products data followed by users data. Cool, isn't it?! UNION SELECT 1, username, password FROM users --

Now, you got a list of the products, followed by all the site users with their passwords!

Actually, you can be more destructive by executing some harming SQL statements. For example, you can make something like that:; drop table users;

Some database engines like SQL Server support such kind of SQL queries. You execute two or more queries in one time. Now, your victim loses his users table!

Also, you may execute some built-in stored procedures which exists in SQL server:; exec master..xp_cmdshell
'iisreset'; --

This was a short tour in exploring SQL injection.


SQL Injection - Part 1

Security .. This word repeated regularly when taking about critical applications. Actually, security is one of the most important aspects in developing applications, especially, web applications. Why? Because, web applications has a very unique property .. "It's a public application!". This means many people have access to your application, many people has access to your services. And as long as the accessibility increase, threatens also increase.

SQL Injections is one of the simplest and popular attacks on the net. However, it needs somehow experienced attackers in SQL and database engines.

Dynamic web forms usually receive parameters and according to these parameters the web-form rearrange its behavior and layout. Parameters are sent to the web-forms through HTTP using one of the two methods: GET or POST - Actually explaining these methods is out of our scope here.

For example, using GET method, we can send parameters to the web form like:

As shown, the "Login" page receives two parameters: username and pass. In your login page, you may check the credentials of the user using a SQL statement like that:

sql = "SELECT username, password FROM users WHERE username=" & username
& " AND password=" & password

Suppose that our lovely attacker now try to play with this login page. He will simply pass the parameters to this web-form as following: or 1=1

Actually, if this login page is for an administration page, for example, then you're in a critical situation! Why? .. The "password" parameter is now "mypass or 1=1". And after concatenated with the SQL statement in our page, the SQL statement will be like that:

SELECT username, password FROM users WHERE username=nour AND password = mypass or 1=1

As you can see, the WHERE condition will not return only one record. Actually, it will return all users records in your system. A great disaster! . So, if your authentication method is built on this query, it will return always results and any user can access it regardless of the given password! Actually, this is a simple demonstration of what can be done with SQL injection.

Wait for more in Part 2...