Changes over Thanksgiving Break 11/27/13 - 12/2/13

Math Drill:

• Added database for storing users and passwords
• Database stores sha256 salted hashes of passwords
• Tried some simple SQL injection attacks on the username field.  The python code interfacing with SQL was: ('SELECT password FROM users WHERE id = \"' + username + '\"').fetchone()
• First attack: a"; INSERT INTO users VALUES ("injection", "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb");" was typed into the username field
• This results in the following line being sent to sqlite, where bold text is the injected SQL:
  SELECT password FROM users WHERE id = "a"; INSERT INTO users VALUES ("injection", "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb");""
• This gave an error: sqlite3.Warning: You can only execute one statement at a time.
• The second attack doesn't create a new statement, but instead adds SQL logic to the end of the executed statement
• The SQL code executed looks like: SELECT password FROM users WHERE id = "a" OR ""=""
• Normally, to sign in the user would have to enter username(testuser), password(password) to login. However, by using the username and password combination username(a" OR ""="), password(password), one can sign in without entering the username. This username string with injected SQL logic is equivalent to typing the username of the first user in the database, in this case the user "testuser".
• Fixed injection by changing the execute statement to cur.execute('SELECT password FROM users WHERE id = ?', (username, )).fetchone()
  This protects against injection attacks
• Sanitized input on the "add students" page by removing non alpha-numeric characters entered by the user
• Started working on a session cookie

Website:

• Changed CSS a bit:
• Made use of border-bottom and border-top properties instead of using custom <hr> elements
• Added hover properties to links in the header