Tag Archives: microsoft
edge keeps running in background regardless of settings
First of all, yes, I have already disabled ‘speed boost’ and turned off the setting that allows extensions and apps to continue running after closing edge, and still when I look at the running tasks there are multiple edge processes there (sleeping or otherwise) after exiting.
This is obviously an unnecessary waste of memory and processor resources etc., but what is much worse than this is that any credentials established with websites using integrated authentication are also maintained and used again when the browser is re-launched.
So if multiple people are using a machine and one authenticates against a website using integrated authentication and then they close the browser and leave, their credentials are applied when whoever uses the machine next accesses that same site.
This would seem to be a fairly serious security issue, and I have submitted this as a bug through the browser’s feedback mechanisms, but has anyone else experienced this and/or found a solution?
First of all, yes, I have already disabled ‘speed boost’ and turned off the setting that allows extensions and apps to continue running after closing edge, and still when I look at the running tasks there are multiple edge processes there (sleeping or otherwise) after exiting.This is obviously an unnecessary waste of memory and processor resources etc., but what is much worse than this is that any credentials established with websites using integrated authentication are also maintained and used again when the browser is re-launched.So if multiple people are using a machine and one authenticates against a website using integrated authentication and then they close the browser and leave, their credentials are applied when whoever uses the machine next accesses that same site.This would seem to be a fairly serious security issue, and I have submitted this as a bug through the browser’s feedback mechanisms, but has anyone else experienced this and/or found a solution? Read More
Organization Branding and Transparency
We receive a lot of spam and links to Google Forms from outside organizations. When I look at Microsoft Forms, there is no way to tell if the form is owned by the organization or not. I know in FormStack, you can brand the URL to your organization.
It would be nice to have a bottom banner that is the organization’s primary color and maybe the logo and to have “this form is part of the ________ organization” and the URL would be great to brand as well.
Organization.forms.office.com/______ or forms.office.com/organization/____ similarly to SharePoint’s URL schematics.
We receive a lot of spam and links to Google Forms from outside organizations. When I look at Microsoft Forms, there is no way to tell if the form is owned by the organization or not. I know in FormStack, you can brand the URL to your organization. It would be nice to have a bottom banner that is the organization’s primary color and maybe the logo and to have “this form is part of the ________ organization” and the URL would be great to brand as well. Organization.forms.office.com/______ or forms.office.com/organization/____ similarly to SharePoint’s URL schematics. Read More
Excel Macro Security
Hello All,
I’m having an issue with Excel Macro security. We have 5 computers at the office on the same network and shared through a OneDrive shared folder.
On my computer the Marco’s work no problem, once i open an Excel file with a Marco, a security bar opens to ENABLE. Even though the Marco’s created by someone else in my office, i can open and use the macro’s no problem.
But other computers in my office will not give me the option to ENABLE as you can see below. I’ve even recreated the file with new macros on anther computer and after restarting Excel i get the SECURITY RISK message.
I’ve tried all the options i found on this community under macro securities, with no prevail.
Any help please.
Thanks
SC
Hello All,I’m having an issue with Excel Macro security. We have 5 computers at the office on the same network and shared through a OneDrive shared folder.On my computer the Marco’s work no problem, once i open an Excel file with a Marco, a security bar opens to ENABLE. Even though the Marco’s created by someone else in my office, i can open and use the macro’s no problem.But other computers in my office will not give me the option to ENABLE as you can see below. I’ve even recreated the file with new macros on anther computer and after restarting Excel i get the SECURITY RISK message. I’ve tried all the options i found on this community under macro securities, with no prevail. Any help please.ThanksSC Read More
SharePoint online – Disable “Select a template” welcome message and “Next steps” tips pane
Are there any solutions to globally disable the “Select a template” welcome message and “Next steps” tips pane for SharePoint sites? These appear when a user with Owner permissions visits the site for the first time.
In organisations where SharePoint governance is in place and site templating is used as part of a managed site creation process these are irrelevant and need to be disabled.
Also posted here.
Are there any solutions to globally disable the “Select a template” welcome message and “Next steps” tips pane for SharePoint sites? These appear when a user with Owner permissions visits the site for the first time. In organisations where SharePoint governance is in place and site templating is used as part of a managed site creation process these are irrelevant and need to be disabled. Also posted here. Read More
MICROSOFT TO DO NOT PRINTING
Microsoft To Do is not printing as I keep getting a message that says “Something Went Wrong” . Is anybody getting the same response?
Microsoft To Do is not printing as I keep getting a message that says “Something Went Wrong” . Is anybody getting the same response? Read More
Discover the Learning Accelerators at ISTELive 24
We can’t wait to meet you in person at ISTELive 24 in Denver, June 23-26, 2024! Join us for an exciting week of live demos, theater sessions, PD workshops, and so much more.
As you think about the next school year, ISTELive is a great opportunity to dive into our Learning Accelerators, a new category of AI-enhanced learning tools included in Microsoft 365 at no cost for Education. These tools help streamline the creation, review, and analysis of practice assignments while providing students real-time coaching to help them catch up, keep up, and get ahead.
Learning Accelerators are designed to help educators like you unlock the full potential of every student. These tools support foundational and future-ready skills, allowing educators to give individual students more opportunities to learn, practice, and receive targeted coaching instantly in an inclusive environment to support ongoing improvement. They also seamlessly integrate with your favorite tools like Microsoft Teams and your LMS.
No matter what area or subject you teach, we’ve got the tools to support you. From reading, math, SEL and well-being, to public speaking and information literacy, our Learning Accelerators have you covered.
Be sure to stop by Microsoft booth #1300 to get a live demo and talk with experts about how you can integrate these tools into your curriculum. Explore the session topics in advance to plan your week and make the most out of your ISTELive 2024 experience.
All times mentioned are in the event time—Mountain Daylight Time (MDT). You can click on each time to visit the session page on the ISTELive website and star your favourite sessions to save them to your account.
Explore our Learning Accelerators sessions
Not sure where to start? Want to learn about everything at once?
We have an overview session that gives you great insights about all the Learning Accelerators.
Sessions at Microsoft Live Learning Theater, Booth #1300:
Reading Progress & Reading Coach
Did you know that students are 19% more likely to graduate high school if they are proficient readers by the third grade? Reading Progress & Reading Coach improve student fluency, accuracy, and comprehension through reading practice and educator insights.
Sessions at Microsoft Live Learning Theater, Booth #1300:
Workshops at Microsoft Learn Live Classroom, Rooms 301/302:
Math Progress & Math Coach
Since the pandemic, there has been a 9-point decline in math scores among 7th and 8th graders from a nationally representative sample of 9,000 students. With Math Progress & Math Coach, you can help students solve complex math problems, develop the ability to reason over data, and understand mathematical concepts.
Sessions at Microsoft Booth #1300:
Microsoft Reflect
Did you know there is an 11-point increase in student academic performance for those who participated in an SEL curriculum versus those who did not? With Microsoft Reflect, you can help students develop social and emotional skills, especially in the era of AI, including the ability to recognize, reflect on, and navigate their feelings.
Sessions at Microsoft Live Learning Theater, Booth #1300:
Workshops at Microsoft Learn Live Classroom, Rooms 301/302:
Speaker Progress & Speaker Coach
96% of businesses identify communication skills as essential, but only 42% of workers are proficient in this skill. Speaker Progress & Speaker Coach help develop confident presenters with tools that reduce student anxiety and provide real-time coaching.
Sessions at Microsoft Live Learning Theater, Booth #1300:
Search Progress & Search Coach
Did you know that only 1 out of 10 students in grade 7 or higher can distinguish between fact and opinion? Search Progress & Search Coach provide an easier way to build information literacy skills with real-time guidance in a secure and inclusive online search environment.
Sessions at Microsoft Live Learning Theater, Booth #1300:
Focused on AI? Want to hear the latest updates?
Our AI in Education 101 sessions will provide you with the latest AI updates from Microsoft Education! We’ll share an overview of AI tools including Microsoft Copilot, Learning Accelerators, and more. Hear how these tools can support personalized learning, automate tasks, provide insights, save time, and increase learner engagement. Discover how AI helps make learning more accessible and inclusive.
Sessions at Microsoft Live Learning Theater, Booth #1300:
Not able to attend ISTE this year?
No worries! After the event, we’ll host a What’s New in EDU webinar, so you can catch up on all the exciting updates we shared in Denver. We will share the dates and a registration link soon.
There are exciting new possibilities on the horizon for educators and students, and we look forward to meeting you in Denver and sharing more!
Microsoft Tech Community – Latest Blogs –Read More
Keeping our Outlook Personal Email Users Safe: Reinforcing Our Commitment to Security
At Microsoft, our aim is to provide a modern and secure email experience for our users, leveraging the latest technologies to enhance functionality and ease of use. When it comes to Outlook, we want to ensure our customers’ emails, documents, calendar, and contacts are safeguarded from unauthorized access, tampering or loss. Today, we’re announcing changes to Outlook for personal use to enhance the security of our consumer customers. These changes are aligned to the Microsoft Secure Future Initiative (SFI). They are:
The deprecation of Basic Authentication for Outlook personal email accounts effective September 16, 2024
A reminder of end of support for the Mail & Calendar apps by the end of 2024
And the deprecation of light version of Outlook web application effective August 19, 2024
Starting September 16th, Microsoft personal email account users (e.g. Outlook.com, Hotmail.com, Live.com) will need to move to Modern Authentication methods in their email application. These will be necessary for all Outlook users.
To help keep Outlook personal email accounts secure, starting September 16, 2024, Microsoft will no longer support Basic Auth, the method in which a person provides only their username and password to sign into their account. As of September 16, 2024, Outlook will require that all those with a Microsoft email account use a mail or calendar app or the Outlook.com website which supports modern auth, such as the latest versions of Outlook, Apple Mail, or Thunderbird.
While Basic Auth was the standard for quite some time, it also made it easier for bad actors to capture a person’s login information. This increased the risk of those stolen credentials being reused to gain access to a person’s email or personal data. Email-based cyberattacks have only increased with time, so we are requiring modern authentication for all Outlook customers to better help protect their personal accounts.
With Modern Authentication methods we apply additional backend process/tokens that users may not notice that add an extra layer of security. Anyone who is attempting to use an application which does not support modern authentication will no longer be able to access their Outlook.com, Hotmail or Live.com email from those applications.
Here are the steps Outlook users can take to better secure their personal email accounts today:
The easiest way to make sure you are ready and using modern authentication is to download one of the free Outlook apps for iOS, Android, Outlook for Mac, or Outlook for Windows. People can also purchase a new Outlook license or use the Outlook that is included in your Microsoft 365 subscription. People who use Outlook 2021 (build 11601.10000 or higher) are also not affected. People can also purchase a new Outlook license or use the Outlook that is included in your Microsoft 365 subscription. People who use Outlook 2021 (build 11601.10000 or higher) are also not affected.
Additional Details can be found here.
An example of a Modern Authentication sign in. Designed to give the user extra protection and keep them safe.
Windows Mail and Calendar apps will move out of support in 2024
Last year we launched a new version of the Outlook for Windows application, which brings Outlook to everyone on Windows – for free. We’ve seen millions of people move into the new Outlook for Windows since our launch, putting it on par for consumer usage with our classic Outlook for Windows app – in a much shorter time. Most people who were using Mail and Calendar have migrated to Outlook for Windows.
With the evolving cyberthreat landscape and our commitment to providing the most secure email experience to our customers, we want to remind people that the Mail and Calendar apps will no longer be supported or available in the Microsoft Store by the end of 2024.
Outlook for Windows is for everyone – regardless of what email service you use. There is no subscription needed for personal email accounts to use Outlook for Windows and it provides a multitude of features that Mail and Calendar doesn’t include, such as rich message editing, the ability to use Copilot, and reminding you of important conversations. Outlook for Windows also supports Modern Authentication. We are also working on new features in the coming months that will improve Junk Mail filtering and help users better protect themselves from malicious mail.
We encourage all remaining users of the Mail and Calendar apps on Windows to move to Outlook for Windows as soon as possible.
The light Version of the Outlook Web App will no longer be supported after August 19, 2024
We understand accessing your Outlook.com account from anywhere is important. Many customers access Outlook.com from web browsers. While most customers access their personal email accounts through modern and current browsers, we were offering a lightweight version of the Outlook web app that was supported by older browsers. As we accelerate our security efforts to help better protect our customers, we are retiring the light version of the Outlook web app. This means that after 2024 customers will need to run the latest versions of a supported browser to run Outlook.com.
Browser Minimum requirements to run Outlook.com:
Microsoft Edge (version 79 or later)
Chrome (version 79 or later)
Firefox (78 or later)
Safari (version 16 or later)
Opera (76 or later)
Operating System Minimum Requirements:
Windows OS: Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, or Windows Server 2016
macOS: macOS Sonoma, macOS Ventura, and macOS Monterey
Linux: Outlook.com works in both Firefox and Chrome on Linux
Additional Outlook Feature Retirements
In addition to the above, we are retiring the following Outlook features:
The ability for people to access their Gmail accounts in Outlook.com via the left rail as of June 30, 2024. Users on Windows should use Outlook for Windows, which will enable them to use their Gmail accounts seamlessly. Outlook users on Mac can use Outlook for Mac.
Last, due to our deprecation of Cortana, all services that depended on it are also being deprecated. For Outlook mobile users that means that Play My Emails and Voice Search will be deprecated at the end of June, 2024. For those affected by this, we ask them to use the native mobile OS features that enable voice commands.
We are taking these actions to ensure that we’re able to continue to best serve our customers and to keep their data as safe as possible. These changes will help us continue to do so and better serve the people who depend on Outlook in their daily lives.
Microsoft Tech Community – Latest Blogs –Read More
Domainbased Encryption using S/MINE with EXO
Hi Everybody,
I’m looking for a solution for this usecase:
An organisation uses EXO and sends outgoing Emails to a variety of customars.Outgoing Emails should be encrypted by S/MIMEA separate S/MIME certificate sholud be used for each receipent domain/customar
As far as i see, the standard solution with S/MIME and transport rules in Purview only offers a user-based solution with unique certificates for each user.
Any ideas how to solve my usecase?
Thanks for every post!
Hi Everybody, I’m looking for a solution for this usecase:An organisation uses EXO and sends outgoing Emails to a variety of customars.Outgoing Emails should be encrypted by S/MIMEA separate S/MIME certificate sholud be used for each receipent domain/customarAs far as i see, the standard solution with S/MIME and transport rules in Purview only offers a user-based solution with unique certificates for each user. Any ideas how to solve my usecase? Thanks for every post! Read More
Emailevents schema is missing in advanced hunting
Hello,
My coworker passed off a legacy powerbi dashboard to me that utilizes the advanced hunting emailevents schema that doesn’t seem to be functioning for me even with permissions.
Can someone advise if this is an issue with access, or has this schema moved to a different license etc?
Thanks,
Hello,My coworker passed off a legacy powerbi dashboard to me that utilizes the advanced hunting emailevents schema that doesn’t seem to be functioning for me even with permissions. Can someone advise if this is an issue with access, or has this schema moved to a different license etc? Thanks, Read More
Are synapse publishing errors logged in log analytics
Hi, we have a development synapse workspace that is integrated with git so that everytime we commit pull request we follow up with publishing the changes. The synapse workspace is also configured to log into a dedicated log analytics workspace. I would like to be able to see a history of synapse workspace publishing errors in log analytics. Is this even possible and if so in what log table? Is there any specific diagnostic setting that I need to turn on (I have audit and all logs checked)Much appreciated
Hi, we have a development synapse workspace that is integrated with git so that everytime we commit pull request we follow up with publishing the changes. The synapse workspace is also configured to log into a dedicated log analytics workspace. I would like to be able to see a history of synapse workspace publishing errors in log analytics. Is this even possible and if so in what log table? Is there any specific diagnostic setting that I need to turn on (I have audit and all logs checked)Much appreciated Read More
Bookings shows no dates available until clearing site data
As the title suggests, I have had this issue recurring with the bookings application for a client.
Most times when the client adds a booking in at the start of the day it works fine. However, when the booking has been made and we go to make another, it will not let us add another booking on that date as it brings up “There are no available bookings for this day”. The only fix I have found for this is opening manage site data on chrome and deleting the site cookies where we sign in again and this is fixed, UNTIL 5 MINUTES LATER WHEN THEY WANT ANOTHER BOOKING…
We’ve tried all browsers from DuckDuckGo, FireFox to Safari and Chrome.
Removing permissions and re adding.
Deleting the bookings page and setting up from scratch.
We’ve tried leaving calendar settings as default and modified to the clients preferences
Made sure all settings, even down to the time zone, match any troubleshooting methods out there.
And spending countless hours googling and trying to fix this but it persists.
Can anyone help shed some light?
Could this be due to the main calendar being open to nearly 100 people and they have their own calendars and then booking sites linked? Could it be down to one users settings that is throwing off the sync? Just weird how this is happening to all users…
Thanks in advance :smiling_face_with_smiling_eyes:
As the title suggests, I have had this issue recurring with the bookings application for a client. Most times when the client adds a booking in at the start of the day it works fine. However, when the booking has been made and we go to make another, it will not let us add another booking on that date as it brings up “There are no available bookings for this day”. The only fix I have found for this is opening manage site data on chrome and deleting the site cookies where we sign in again and this is fixed, UNTIL 5 MINUTES LATER WHEN THEY WANT ANOTHER BOOKING… We’ve tried all browsers from DuckDuckGo, FireFox to Safari and Chrome. Removing permissions and re adding.Deleting the bookings page and setting up from scratch.We’ve tried leaving calendar settings as default and modified to the clients preferences Made sure all settings, even down to the time zone, match any troubleshooting methods out there.And spending countless hours googling and trying to fix this but it persists. Can anyone help shed some light? Could this be due to the main calendar being open to nearly 100 people and they have their own calendars and then booking sites linked? Could it be down to one users settings that is throwing off the sync? Just weird how this is happening to all users… Thanks in advance :smiling_face_with_smiling_eyes: Read More
Devops – Enable analytic views
Since analytic views is no longer a preview feature in azure devops, I cannot find where it can be enabled.
Does anyone know where this can be done ?(through which menu in devops?)
Thanks
Omar
Since analytic views is no longer a preview feature in azure devops, I cannot find where it can be enabled.Does anyone know where this can be done ?(through which menu in devops?) ThanksOmar Read More
New Outlook: Workaround Solution for Creating Rules for Sent Items
Many users have expressed that they are missing one of Outlook Classic’s features: the ability to create rules for sent items. One popular use is automatically moving a Sent item to a designated folder of choice, which reduces the time it takes to handle email.
Currently, rules in New Outlook manage received messages in the Inbox. You can read this blog for details.
New Outlook Limitations: Outgoing Message Rules » TRACCreations4E
I am happy to share that I finally came up with a workaround solution to add a copy of the message you sent to a folder of your choice. Yes, the original message will remain in the Sent folder, but you don’t have to manually move it. This method should hold you over until Microsoft rolls out this sent rules functionality, which has not yet been added to the roadmap.
Watch the full tutorial to discover how you can:
Setup your email
Use hashtags in your signature line
Set up an automatic rule
Video: https://youtu.be/guOjz5lHJEY?si=un6jp2afgO-3PAhg
Remember, this is a workaround solution. I am also waiting patiently for the Sent Rules functionality.
If you find this information helpful, please mark it as the best response, which will assist others with the same question.
/Teresa
#traccreations4e 6/11/2024
Many users have expressed that they are missing one of Outlook Classic’s features: the ability to create rules for sent items. One popular use is automatically moving a Sent item to a designated folder of choice, which reduces the time it takes to handle email.
Currently, rules in New Outlook manage received messages in the Inbox. You can read this blog for details. New Outlook Limitations: Outgoing Message Rules » TRACCreations4EI am happy to share that I finally came up with a workaround solution to add a copy of the message you sent to a folder of your choice. Yes, the original message will remain in the Sent folder, but you don’t have to manually move it. This method should hold you over until Microsoft rolls out this sent rules functionality, which has not yet been added to the roadmap. Watch the full tutorial to discover how you can:
Setup your email
Use hashtags in your signature line
Set up an automatic rule
Video: https://youtu.be/guOjz5lHJEY?si=un6jp2afgO-3PAhg
Remember, this is a workaround solution. I am also waiting patiently for the Sent Rules functionality.If you find this information helpful, please mark it as the best response, which will assist others with the same question./Teresa#traccreations4e 6/11/2024 Read More
Does it possible to create notification if an admin take soft delete action from Explorer ?
Does it possible to create notification if an admin take soft delete action from Explorer ?
Does it possible to create notification if an admin take soft delete action from Explorer ? Read More
Error code 404 : When Overwriting a Sharepoint column that contains space before ‘/’ in it’s name
I have created a SharePoint List with column name that contains space before ‘/’. Ex: “ABC /DEF”
When I am trying to overwrite the same column it fails with Error . Response code: 404.
So does it have anything to do with column name? Are there any guidelines on creating column name with special characters (including space, ‘/’) in sharepoint list?
I have created a SharePoint List with column name that contains space before ‘/’. Ex: “ABC /DEF”When I am trying to overwrite the same column it fails with Error . Response code: 404. So does it have anything to do with column name? Are there any guidelines on creating column name with special characters (including space, ‘/’) in sharepoint list? Read More
Set default font in Office Outlook app and OWA
For our organisation we want to set our default font to Ubuntu, size 11, with color code #215e99. Is there any (easy) way how to do this? We are using Office365 and we manage all our devices within the Microsoft Endpoint Manager. It seems there is no specific policy available to configure this.
For our organisation we want to set our default font to Ubuntu, size 11, with color code #215e99. Is there any (easy) way how to do this? We are using Office365 and we manage all our devices within the Microsoft Endpoint Manager. It seems there is no specific policy available to configure this. Read More
Trouble removing CALC Error
This is the Formula i’m using, however when the formula doesnt return a result I get the #Calc error.
=LET( filtered, FILTER( F2:F9000, ISNUMBER(XMATCH(G2:G9000, H2:H3, )) ), UNIQUE(filtered))
I’ve tried inserting “No Event” into the formula but either I’m not putting it into the string correctly or I need to do something else.
This is the Formula i’m using, however when the formula doesnt return a result I get the #Calc error. =LET( filtered, FILTER( F2:F9000, ISNUMBER(XMATCH(G2:G9000, H2:H3, )) ), UNIQUE(filtered)) I’ve tried inserting “No Event” into the formula but either I’m not putting it into the string correctly or I need to do something else. Read More
Prevent SQL Injection attacks on your PostgreSQL servers
SQL injections are one of the most common and popular application attack vectors used with the goal of retrieving sensitive data from companies. When you hear about stolen financial information, defaced web sites or even systems takeover, they often happen through complex hacking attempt, which in many cases starts with common SQL injection vulnerabilities being exploited. Fortunately, you can follow some very easy techniques to prevent SQL injection affecting your system with PostgreSQL backend.
What is SQL Injection?
SQL injection (SQLi) is a common cybersecurity exploit that targets commercial and open-source relational databases using specifically crafted SQL statements to trick the systems into doing unexpected and undesired things. SQL injection attacks allow penetrators to spoof identity, tamper with existing data stored in databases, cause repudiation issues such as voiding transactions or changing balances and ultimately quite often to become administrators of the database server. SQL Injection is more common with older web development platforms, such as PHP, ASP, JSP, CGI due to the prevalence of older data access interfaces, but can occur with newer platforms as well, when not taking advantage of available methods to reduce this vulnerability.
Pic 1. Typical SQL Injection diagram courtesy of Cloudflare
Within the last 20 years, many SQL injection attacks have targeted large websites, businesses, and social media marketing platforms. Many of these attacks resulted in serious data breaches. A couple of notable examples are listed below:
7-Eleven breach. a group of attackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million charge card numbers.
Ghost Shell attack. Hackers from APT group Team GhostShell targeted 53 universities using the SQL injection and stole and published 36,000 personal records owned by students, faculty, and staff.
Freepik breach. In 2020, Freepik, one of the largest online graphic resources sites in the world with 18 million monthly unique users, says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.
Types of SQL Injection attack
SQL Injection (SQLi) is commonly classified to several types:
Union-based SQL Injection– Union-based SQL Injection represents the most popular type of SQL injection and uses the UNION operator in SQL. The UNION operator is used to combine the result-set of two or more SELECT statements to retrieve data from the database.
Error Based SQL Injection– this method is usually deployed against Microsoft SQL Server databases. In this attack, the malicious actor causes an application to display an error. originating from database. It manipulates the database into generating an error that informs the malicious actor of the database’s structure.
Blind SQL Injection – in this attack, no error messages are received from the database; We extract the data by submitting queries to the database. Blind SQL injections can be divided into Boolean-based SQL Injection and time-based SQL Injection.
Example of SQL Injection
This example shows how an attacker can use SQL injection to circumvent an application’s SQL Based authentication and gain administrator privileges.
Consider a simple authentication system using a database table with usernames and passwords. A user’s POST request will provide the variables user and password, and these are inserted into a SQL statement:
sql = “SELECT id FROM users WHERE username='” + user + “‘ AND password='” + password + “‘”
The problem here is that the SQL statement uses string concatenation to combine data. The attacker can provide a string like this instead of the password string variable:
password’ OR 5=5
Finally, we have a resulting SQL query that will be run against the database:
SELECT id FROM users WHERE username=’user’ AND password=’pass’ OR 1=1′
Because 1=1 is a condition that always evaluates to true, the entire WHERE statement will be true, regardless of the username or password provided. Moreover, WHERE statement will return the first ID from the users table, which is commonly the administrator. This means the attacker can access the application without authentication, and also has administrator privileges.
Preventing SQL Injection attacks
There are number of methods for reducing the risk of SQL injection. As a best practice, several strategies should be utilized. Let’s look at most popular implementations:
Using Parameterized Queries.
At its core, this method separates SQL logic from the data being passed. Using placeholders instead of directly embedding user input into queries, the database strictly recognizes the input as data. This means that even if an attacker tries to insert malicious code, the database won’t execute it as a command. As a developer, adopting parameterized queries is not just a best practice; it’s a fundamental shift in how user input is processed, ensuring a higher level of security.
Escape All User Supplied Input. When writing SQL, specific characters or words have particular meaning. For example, the ‘*’ character means “any” and the words “OR” is a conditional. To circumvent users who enter these characters either accidentally or more likely maliciously into an API request to the database, user supplied input can be escaped. Escaping a character is the way of telling the database not to parse it as a command or conditional but instead treat it as literal input, aka string.
Enforce Least Privilege. As a general rule, in all instances where a website needs to use dynamic SQL, it is important to reduce the exposure to SQL injection by limiting permissions of your application loginuser to the most marrow scope required to execute the relevant query. This means that an administrative account should never be application loginuser and executing SQL commands as a result of the API call from an unauthorized request. Enforcing least privilege can help reduce the risks of dynamic SQL queries.
Resources
For more information on SQL injection, as well as security best practices with Postgres Flexible Server see following:
Security – Azure Database for PostgreSQL – Flexible Server | Microsoft Learn
SQl Injection: example of SQL Injections and Recommendations to avoid it. – Microsoft Community Hub
Postgres SQL Injection Cheat Sheet | pentestmonkey
Investigation: A Pentesting PostgreSQL with SQL Injections (onsecurity.io)
To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.
Microsoft Tech Community – Latest Blogs –Read More
Boxfusion and Skypoint offer transactable partner solutions in Azure Marketplace
Microsoft partners like Boxfusion and Skypoint deliver transact-capable offers, which allow you to purchase directly from Azure Marketplace. Learn about these offers below:
Botsa: Botsa works with Microsoft Teams to provide a simple, familiar, and user-friendly interface for your employees to improve internal communications and processes. By handling routine queries, Botsa frees up your staff to focus on more complex tasks, increasing overall productivity and transforming your workplace experience. Reduce operational costs by automating common queries and processes.
Skypoint AI Platform for Senior Living: Skypoint’s AI platform unifies and leverages common senior living data sources so you can safely and securely “chat with your data” for instant answers and drive senior living experiences in more meaningful ways. It allows you to deliver better care, services, and experiences while optimizing operational expenses, leading to improved overall outcomes.
Microsoft Tech Community – Latest Blogs –Read More
Time Format
hello all,
I had entered a number 6 in a cell and choose the time format.
instead of instead of showing me the time as 6:00 am it gives with the date and time together!
can i know the mistake i made pls.
i am trying to schedule some work in a regular basis using the time. How do i go about to get only 6:30 am or 6:00 pm, etc.
thank u in advance to one and all
hello all,I had entered a number 6 in a cell and choose the time format.instead of instead of showing me the time as 6:00 am it gives with the date and time together! can i know the mistake i made pls. i am trying to schedule some work in a regular basis using the time. How do i go about to get only 6:30 am or 6:00 pm, etc. thank u in advance to one and all Read More