30 Jan

Access Control in MySQL Stored Routines: DEFINER, INVOKER & SQL SECURITY

MySQL Stored Routines (functions and procedures) are not only used for improving performance but also they’re handy when it comes to enhancing security and restricting user access. This post briefs you about security aspects of stored routines by means of example.

By the definition of a Stored Routine,
– DEFINER clause specifies the creator of the stored routine.
– SQL SECURITY clause specifies the execution context of the stored routine.

Now let’s start with an example:

Create a very basic stored routine in test database:

DELIMITER //
CREATE PROCEDURE user_cnt()
BEGIN
SELECT COUNT(*) as total_user FROM mysql.user;
END;//
DELIMITER ;

Our current user is: root@localhost
[ You can see your current user by issuing select CURRENT_USER(); ]

Call the procedure:
CALL user_cnt()\G
total_user: 10

Here, We created a stored routine using root@localhost user.
– DEFINER: The user who creates this procedure. i.e. root@localhost
– SQL SECURITY: Defines under whose privileges the routine will be executed; defaults to DEFINER. i.e. root@localhost

As SQL SECURITY is set to DEFINER, a user even with only EXECUTE permission for routine can call and get the output of the stored routine regardless of whether that user has permission on mysql database or not.

Lets see how this works. Create a “execuser” with limited privileges:
GRANT EXECUTE ON test.* TO 'execuser'@'localhost' IDENTIFIED BY 'execuser' ;
FLUSH PRIVILEGEES;

Login using execuser to mysql prompt and call the procedure created under test database:
mysql> CALL user_cnt()\G
total_user: 10

Now check that below command fired by execuser fails due to lack of privileges:
mysql> select count(*) from mysql.user;
ERROR 1142 (42000): SELECT command denied to user 'execuser'@'localhost' for table 'user'

– Thus stored procedure allows us to restrict users to access tables directly but still getting access to certain data.
– User execuser@localhost is not having permission on mysql database and still he could get the data.
– As the SQL SECURITY was set to DEFINER (default), the execution of the routine happened under the security context of root@localhost user and returned the result.

Is this behaviour something that you don’t want to happen? Hmmm we have a way out here.
Lets rewrite the stored procedure as below:

DELIMITER //
DROP PROCEDURE IF EXISTS user_cnt;
CREATE DEFINER='root'@'localhost' PROCEDURE user_cnt()
SQL SECURITY INVOKER
BEGIN
SELECT COUNT(*) as total_user FROM mysql.user;
END;//
DELIMITER ;

– Did you note “SQL SECURITY INVOKER”!! That’s our saviour.
– We’ve specified the DEFINER attribute explicitly.
– SQL SECURITY decides under whose privileges the stored routine gets executed! Here it is INVOKER, the user that CALLs the routine!

Let’s check through execuser@localhost user:
mysql> call user_cnt();
ERROR 1142 (42000): SELECT command denied to user 'execuser'@'localhost' for table 'user'

So, this is now pretty clear that the stored routine tried to execute the SELECT query under INVOKER’s (execuser@localhost) privileges; and the routine failed as the INVOKER has no privileges on user table.

Finally, a few points:
Together DEFINER & SQL SECURITY clauses define the security context to be used during routine execution time.
The DEFINER attribute defaults to the current user & defines the creator of the Stored Routine.
SQL SECURITY defines the execution permission of the stored routine and defaults to DEFINER.

I hope this cleared the basics; thanks for reading.

26 Jan

Xtreme Movie Review: Agneepath Agneepath Agneepath (2012)

Kancha Agneepath 2012

Agneepath… Agneepath… Agneepath…

Vruksh ho bhale khade,
ho ghane ho bade,
Ek patra chhanh bhi,
mang mat, mang mat, mang mat,
Agnipath, Agnipath, Agnipath…

Oh yes… This action-thriller will surely make you feel the word “Agneepath”. The movie, as promoted, has lived on REVENGE and lived upto the mark.
Sanjay Dutt as ‘Kancha’, Hritik Roshan as ‘Vijay Dinanath Chauhan’ and Rishi Kapoor as ‘Rauf Lala’ are well written characters & brilliantly played by each of them.
Scripts, Music, Action, and everything that makes a movie are at place; and holds it nicely.
The movie grabs you since the beginning till the end!

The emotions and the feeling of revenge are extra ordinarily sharpen, stretched to the limits in the script and greatly executed.
Vijay Dinanath Chauhan, a classic character played by the great Amitabh Bachchan has always left a great impact on the minds of viewers. And this remake, Agneepath (2012), is undisputedly effective, well directed and fully enjoyable movie.

Tu na thakega kabhi,
tu na thamega kabhi,
tu na mudega kabhi,
Kar shapath, Kar shapath, Kar shapath,
Agnipath, Agnipath, Agnipath…

“Vijay Deenanath Chauhan, poora naam, baap ka naam Deenanath Chauhan, gaon Mandwa.”

Vijay’s father, Dinanath Chauhan, was a teacher in the village Mandwa who taught him the path of fire. Kancha hangs Diananath & kicks him out of his way to become drug mafia and rule the people. Vijay leaves to Mumbai with her mother and eventually happens to know Rauf Lala after following Kancha in Mumbai. Vijay plays & uses Rauf to reach Kancha and challenges Kancha at the end & completes the REVENGE… as usual :)… During the movie Vijay is well supported by Kaali.

The movie is better watched 🙂

Sanjay Dutt AKA Kancha is HUGE. Sanjay has done a great job with his look, size & act… 🙂
The way Kancha enters holding Holy Geeta makes a great impact. Kancha recites a few funny dialogues like “To ramji Lankaa padhaar gaye hain; dekho vaanar to nahin aaye!”

Kancha Agneepath 2012-tu kya lekar aaya tha, tu kya lekar jaega
[ PS: this is my facebook cover image 🙂 ]


tum kya leke aaye the…
tum kya leke jaoge…
rahejayega toh sirf ek he insaan…
sarva sakti sali sarva saktimaa…
kaancha…

As they have done a great job of filming “REVENGE”, some of the scenes are so intense that “a few girls” won’t like that… 🙂 But that was quite building the roots of the story and let you feel heat of Agneepath.

About “Chikni Chameli”, surely I’d love to see Katrina 1000 times but not a single time like in this song! For me the dance steps were pathetic and music is good but a complete copy! Ofcourse music director duo Ajay-Atul copied from their marathi hit number “Kombadi”.
All songs are good, but my favourite is “Abhi Mujh Mein Kahin” by Sonu Nigam.
BTW did you notice the statutory warnings “Smoking is injurious to health” during the song after Katrina lit the bidis!!

Yes ofcourse, Priyanka as Kaali & Om Puri as Gaaytonde are good too…
Agneepath (1990) & Agneepath (2012) both are my favourites but which Vijay do you think is better?
Thanks Karan Malhotra & Karan Johar for the great remake.

Ye mahan drushya hai,
Chal raha manushya hai,
ashru, swed, rakt se,
lathpat, lathpat, lathpat..
Agnipath, Agnipath, Agnipath…

WOW awesome movie after a long time…

18 Nov

JaxtrSMS-Send Free SMS Worldwide | Download for iPhone, Android, BlackBerry, Java

Introducing JaxtrSMS, The world’s first free and open texting app is a revolutionary product from co-founders Sabeer Bhatia & Yogesh Patel.

Sending free text messages or free SMS is now expanded Globally thanks to JaxtrSMS.
JaxtrSMS enables you to cross the horizons of communication. JaxtrSMS gives power to you to reach anyone anywhere around the Globe. JaxtrSMS seemingly attempting to become a  your global sms carrier.
Let it be I Phone, Android, Blackberry, Win Mobiles, J2ME or Symbian phone. Just install JaxtrSMS and you’re ready to communicate world-wide with free JaxtrSMS.

JaxtrSMS works on WIFI & 3G flawlessly. JaxtrSMS Sends totally free SMS / messages to all in your address book regardless of whether they have the app or not.

1. Download & Install JaxtrSMS.

download JaxtrSMS for android Download JaxtrSMS for iPhone Download JaxtrSMS for Blackberry Download JaxtrSMS for Java-based Phones



2. Registering your mobile number.
Registering for free text sms is quite simple. Normally  you get automatically verified. In case you find difficulties, JaxtrSMS also enables you for verification through call. So if your verification for JaxtrSMS fails or you cannot verify on JaxtrSMS, you can also get verified by call.
I found out three ways people could register to JaxtrSMS:
– JaxtrSMS Auto Verification.
– JaxtrSMS verification through Vefication Link.
– JaxtrSMS verification through Call.

How to get Verified on JaxtrSMS, if you are unable to register?
Check out this Video:

In case of difficulty or problem in registering JaxtrSMS, you have the support email available on website. Contact JaxtrSMS support: support@jaxtrsms.com

3. Send Free SMS Worldwide.
That’s it! Installing & Registering for JaxtrSMS adds power to your mobile! You’re now all set to reachout accross the globe with free sms and message.

What’s coming?
Well, JaxtrSMS have more to offer and it seems to be selling out globle numbers soon!

Well another reason for believing in jaxtrSMS is in the “about” section. Yep! That’s the name: Sabeer Bhatia as CEO & Yogesh Patel as President, co-founders of JaxtrSMS.

For updates follow JaxtrSMS on facebook and twitter:
https://www.facebook.com/pages/JaxtrSMS#!/pages/JaxtrSMS/126927537410938
https://twitter.com/#!/jaxtrsms

I personally tested this and Loved it! Try JaxtrSMS – Send free SMS Worldwide!
Update:
– JaxtrSMS is now free only for India and US.
– For other countries you can purchase their sms packs from https://pay.jaxtrsms.com. You can check their rates (claimed to be cheapest) from https://pay.jaxtrsms.com/pps/jaxrate.jsp.
Update:
– JaxtrSMS is no more free but of-course they have really competitive and cheaper sms rates. Try them.

04 Nov

Software Quality Attributes-Parameters Explained

What is a software quality and what attributes are used to measure it? A very common question you might have faced during Testing or QA Interviews. Many of the Software Testers or Software Quality Analyst don’t know about the attributes at all. This post would help you understand the attributes in simple and sober words.

Software Quality:

Software quality is the characteristic of the software that defines how well the software meets the customer requirements, business requirements, coding standards etc. It can be divided into two categories:

Software Functional Quality:  characteristics that define how well the software meets functional requirements, and how well it satisfies the end-users.

Software Non-Functional Quality:  characteristics that define how well structural requirements are met that support the delivery of functional requirements. It is usually related to software code and internal structure.

The different software qualities can be measured through various software testing techniques and tools. Following are the different attributes (parameters) that are used to measure the software quality:

Testability – How easy it is to test the software and to what extent it can be tested.

Usability – It defines how user friendly the software is.

Understandability – How easily the software can be made understood to a layman about its functions/purpose

Consistency – How far the software is consistent / uniform in terms of GUI, terminologies, conventions.

Efficiency – It defines the amount of work that the software can do in defined timeframe with minimum resources used.

Effectiveness – The extent to which the software satisfies the user and meets user requirements

Accuracy – How accurately the software works with gives the correct results.

Maintainability – How easily the software can be maintained in terms of enhancements/new features/bug fixes.

Reliability – How reliable the software is in performing required functions under different scenarios/conditions.

Portability – How easily the software can be transported and run in different environments e.g. platforms like operating systems (Linux, Mac, Windows), machines it can run on.

Security – How secured the software is in terms of access authorization and personal data like passwords.

Robustness – How robust the software is under unexpected events like software crash, power-off etc and saves its data.

Comment if you have any queries regarding this. Thanks for reading. 

09 Oct

Bug / Defect Priority vs Severity Matrix

In Software Testing, deciding how important the defect is and how soon the defect should be fixed is as important as finding a defect! This depends on how you actually place the defect into Priority-Severity matrix.

I have come across a lot many test engineers, who get confused between priority and severity of a defect. Definition is important but understanding is even more important.

Definitly customer (guidelines) plays a major role in the decision but I’d like to convey in terms of the general scenario. I’d like to add some easy words to clarify the confusion (probably forever).

Defect Priority: Priority is something that is defined by business rules. It defines how important the defect is and how early it should be fixed.

Defect Severity: Severity is defined by the extent of damage done by the defect. It defines how badly the defect affects the functionality of the software product.

Again you’re fed with another definition? No!! Let’s take some examples…

They say a picture is better than a thousand words:

defect-priority-severity-matrix

High Priority and Low Severity:

Company logo is half cut on the home page of its website. This is high priority defect because displaying an incomplete company logo would put bad impression on business as this would defame the company or website. So, this defect should be fixed as soon as possible.

As far as severity is concerned, this defect has got low severity because it is not impacting any functionality of the website.

High Priority and High Severity:

Login button is not clickable on the login page of a web application. This is a high priority defect because this is stopping users from using the site. So, this should be fixed at once.

At the same time, this defect is of high severity because none of the other functionalities can be carried out.

Low Priority and High Severity:

A twisted scenario which rarely occurs but makes the application crash is an example of a low priority defect because user doesn’t come across this scenario normally and can be fixed later.

On the other hand, it is having high severity because it makes the whole application break and no functionalities can be performed.

Low Priority and Low Severity:

Spelling mistake in any of the words on some inner pages of the website that is rarely accessed is an example of low priority defect because it doesn’t matter much to the users as business is not impacted and can be fixed later. It is also having low severity because it is not impacting any functionality of the website.

I hope this clears the defect attribution. comments and questions are welcome.

-- Kedar Vaijanapurkar --