Multithreading is a powerful tool for creating high performance applications, especially those that require user interaction. Microsoft .NET has broken down the barriers that once existed in creating multithreaded applications.
Newer operating systems, such as Windows 2000, support pre-emptive multitasking, which allocates each thread a time slice. When the time slice of the currently executing thread has elapsed, the thread is suspended by the operating system, context of the thread is saved, context of another thread is loaded, and the other thread then resumes execution according to its previous state. This gives the appearance that multiple threads are executing at the same time and helps prevent the system from becoming unresponsive from a single thread. On systems that have more that one-processor threads are distributed across all of the processors so there really are multiple threads executing at the same time.
.NET has been designed to support multi-threaded operation. There are two main ways of multi-threading in .NET: -
Thread class
Thread pool
Every thread has a priority. You can assign different priorities to the threads in application. That means you can tell the system which thread can be done first, which thread can interrupt others and which thread cannot be interrupted. Each thread with the highest priority can interrupt a thread with a lower priority. Below are values for thread priority -
Highest
AboveNormal
Normal
BelowNormal
Lowest
A thread can be stopped for a given period of time. To make a thread stop you can use sleep method with number of milliseconds to sleep. The thread will resume after the specified milliseconds.
We can stop a thread by using suspend() method. This way thread will wait until you call it back to action. To call a thread back to action you can use resume() method.
We can stop or abort a thread at any time by using abort() method. This will destroy all the data related to that thread.
.Net makes it easy to add multithreading to your application. By this you can make the application more interactive and can increase the user’s experience.
Today as a routine after coming to the office while checking my daily mails, it strike to me how nice it feels to work in an employee friendly environment. As soon as I come to the office, the first thing I do is check my mailbox and click on“RedAlkemi’s Box of Knowledge” mail sent by HR which includes a Quote of the day, Health tip and Amazing fact.
Next I check if there is any “Happy Birthday” e-mail. Happy Birthday e-mail is a birthday wishes mail sent by the HR team to the person whose birthday it is. It includes a lovely bouquet picture, birthday boy’s / girl’s sun sign followed by the information on famous people with whom he / she share his / her birthday, general prediction based on the sun sign and the email address of the person, so others can wish him/her as well. This mail also works like a reminder mail for others to wish their colleague(s). I always come to know whose birthday it is on a particular day even before I check my mailbox. How? Oh! It’s really simple, that person’s workstation is decorated with beautiful ribbons and colorful balloons.
You know what - I am always aware of the latest happenings in the IT industry as HR makes sure to send weekly “Top IT News” email to all the employees. So now you know the secret, it’s not only me but also all RedAlkemi employees, who are always aware of the latest happening in IT industry.
I also come to know when some new person joins our organization as we get induction e-mail. It includes his / her name, designation, qualification, interest and email address.
Now let me tell you about an interesting thing. We have something called fun profile. You can check one’s fun profile by clicking on his/her name under signature lines in the email. In fun profile you’ll find the information about the person like his hobbies, interests, favorite food, what he is scared of etc. So next time whenever you receive any RA employee’s email, make sure to click on his / her name in signature line to learn more about him / her. Believe me its fun!
SQL Injection is a technique where an attacker/hacker creates or alters existing SQL queries to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build a SQL query.
Using SQL injection, a user can damage the database, delete tables, insert fake data into database, steal secure information from the database and can delete the database as well.
To avoid this issue, the code should have the ability to avoid this injection. There should be proper validations on the server end to avoid SQL injection.
The following example will make the process of SQL injection clear.
Example: Login form - when you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you’ve entered against the relevant table in the database. If your input matches table/row data, you’re granted access. If not, you’re knocked back out.
How to Test for SQL Injection Vulnerabilities:
Suppose we enter the following string in a Username field: `OR 1=1
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = `USRTEXT `AND password = `PASSTEXT`
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ` OR 1=1 — `AND password = `
1 is always equal to 1. So if you grant an access this means website is not secure.
Prevention Techniques: These are some of the few basic techniques that, if applied to the code, will go a long way in making the website more secure and robust.
Editing Lengths Of Form Components: There should be proper validation for field lengths. To restrict input fields to the absolute minimum- usually anywhere from 7-12 characters is fine. Doing so will make long queries unable to be input, since the field is only enough characters for smaller queries. This will actually not prevent an SQL injection, but will make the work harder for those trying to make use of one.
Data Type Validation: There should be proper data type validation implemented on all the form fields. Numeric fields should allow only the numeric values and text field should allow only the textual data. If a user had to input an age, make sure the input is an actual number. If it was a date, make sure the date is in proper format. Using this we cannot avoid sql injection, however it makes work harder for those trying to exploit an SQL server.
User Privileges: User privileges at database level should be applied properly. The main user that will be used in creating connection should not have the privileges to delete tables or database etc. It is better to be able to create a “super user” in one’s own database that can create, drop, and edit tables at will. The security-obsessive webmaster will want to make individual users that can only do one or two tasks at a time. This method is still useful for throwing attackers off track, as well as minimizing risk from areas of a website that aren’t critical to the security of the database. Magic Quotes: Magic quotes are horrible for portability issues, performance issues, and they mess with other data that doesn’t need to be escaped
Many scripts made with magic quotes won`t work on servers that have (intelligently) turned the feature off.
Performance loss is observed because not all of the data is being input into a database- we are wasting process time.
Magic quotes are just inconvenient. They add an extra slash (\) to all of our form data, even when it might not be needed. To fix this, we have to use another process to fix it (If you are unfortunate enough to have used magic quotes, look up the stripslashes() function, and consider switching if possible)
