How to prevent SQL injections

Use prepared statements and parameterized
queries. These are SQL statements that are sent
to and parsed by the database server separately
from any parameters. This way it is impossible
for an attacker to inject malicious SQL.
You basically have two options to achieve this:
Using PDO:
$stmt = $pdo->prepare('SELECT * FROM
employees WHERE name = :name');
$stmt->execute(array('name' => $name));
foreach ($stmt as $row) {
// do something with $row
}
Using MySQLi:
$stmt = $dbConnection->prepare('SELECT *
FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}
PDO
Note that when using PDO to access a MySQL
database real prepared statements are not used
by default. To fix this you have to disable the
emulation of prepared statements. An example
of creating a connection using PDO is:
$dbConnection = new PDO('mysql:dbna
me=dbtest;host=127.0.0.1;charset=utf8', 'user',
'pass');
$dbConnection->setAttribute(PD
O::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PD
O::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
In the above example the error mode isn't
strictly necessary, but it is advised to add it.
This way the script will not stop with a Fatal
Error when something goes wrong. And it gives
the developer the chance to catch any error(s)
which are thrown as PDOExceptions.
What is mandatory however is the first
setAttribute() line, which tells PDO to disable
emulated prepared statements and use real
prepared statements. This makes sure the
statement and the values aren't parsed by PHP
before sending it to the MySQL server (giving a
possible attacker no chance to inject malicious
SQL).
Although you can set the charset in the options
of the constructor, it's important to note that
'older' versions of PHP (< 5.3.6) silently ignored
the charset parameter in the DSN.
Explanation
What happens is that the SQL statement you
pass to prepare is parsed and compiled by the
database server. By specifying parameters
(either a ? or a named parameter like :name in
the example above) you tell the database engine
where you want to filter on. Then when you call
execute, the prepared statement is combined
with the parameter values you specify.
The important thing here is that the parameter
values are combined with the compiled
statement, not an SQL string. SQL injection
works by tricking the script into including
malicious strings when it creates SQL to send to
the database. So by sending the actual SQL
separately from the parameters, you limit the
risk of ending up with something you didn't
intend. Any parameters you send when using a
prepared statement will just be treated as
strings (although the database engine may do
some optimization so parameters may end up as
numbers too, of course). In the example above,
if the $name variable contains 'Sarah'; DELETE
FROM employees the result would simply be a
search for the string "'Sarah'; DELETE FROM
employees", and you will not end up with an
empty table.
Another benefit with using prepared statements
is that if you execute the same statement many
times in the same session it will only be parsed
and compiled once, giving you some speed
gains.
Oh, and since you asked about how to do it for
an insert, here's an example (using PDO):
$preparedStatement = $db->prepare('INSERT
INTO table (column) VALUES (:column)');
$preparedStatement->execute(array('column' =>
$unsafeValue));
127.0.0.1
127.0.0.1

Trusting VPN providers

When chooising VPN the one thing u need to
know is that u can trust your VPN provider and
that they Dont keep logs of your data we at
cyberlovesecurity have booked a meeting with
an VPN provider to talk about security i. I will
give u all an example : some VPN providers have
keeped logs of their users data and a big VPN
provider ( https://www.hidemyass.com )
They keept data on a lulzsec member and gave
that data to the cops long story short this
person is in jail now. So u need to pick one
good thats why we are setting up this meeting
to talk about cheap and secure VPN with a
company and se IF we can get something going

4 Secrets Wireless Hackers Don't Want You to Know!

You're using a wireless access point that has
encryption so you're safe, right? Wrong!
Hackers want you to believe that you are
protected so you will remain vulnerable to
their attacks. Here are 4 things that wireless
hackers hope you won't find out, otherwise
they might not be able to break into your
network and/or COMPUTER:
1. WEP encryption is useless for protecting
your wireless network. WEP is easily cracked
within minutes and only provides users with
a false sense of security.
Even a mediocre hacker can defeat Wired
Equivalent Privacy (WEP)-based security in a
matter of minutes, making it essentially
useless as a protection mechanism. Many
people set their wireless routers up years ago
and have never bothered to change their
wireless encryption from WEP to the newer
and stronger WPA2 security. Updating your
router to WPA2 is a fairly simple process.
Visit your wireless router MANUFACTURER'S
website for instructions.
2. Using your wireless router's MAC filter to
prevent unauthorized devices from joining
your network is ineffective and easily
defeated.
Every piece of IP-based hardware, whether
it's a computer, game system, PRINTER, etc,
has a unique hard-coded MAC address in its
network interface. Many routers will allow
you to permit or deny network access based
on a device's MAC address. The wireless
router inspects the MAC address of the
network device requesting access and
compares it your list of permitted or denied
MACs. This sounds like a great security
mechanism but the problem is that hackers
can "spoof" or forge a fake MAC address that
matches an approved one. All they need to
do is use a wireless packet capture
PROGRAM to sniff (eavesdrop) on the
wireless traffic and see which MAC addresses
are traversing the network. They can then set
their MAC address to match one of that is
allowed and join the network.
3. Disabling your wireless router's remote
ADMINISTRATIONfeature can be a very
effective measure to prevent a hacker from
taking over your wireless network.
Many wireless routers have a setting that
allows you to administer the router via a
wireless connection. This means that you can
access all of the routers security settings and
other features without having to be on a
COMPUTER that is plugged into the router
using an Ethernet CABLE. While this is
convenient for being able to administer the
router remotely, it also provides another
point of entry for the hacker to get to your
security settings and change them to
something a little more hacker friendly.
Many people never change the factory
default admin passwords to their wireless
router which makes things even easier for
the hacker. I recommend turning the "allow
admin via wireless" feature off so only
someone with a physical connection to the
network can attempt to administer the
wireless router settings.
4. If you use public hotspots you are an easy
target for man-in-the-middle and session
hijacking attacks.
Hackers can use tools like Firesheep and
AirJack to perform "man-in-the-middle"
attacks where they insert themselves into the
wireless conversation between sender and
receiver. Once they have successfully
inserted themselves into the line of
communications, they can harvest your
ACCOUNT passwords, read your e-mail, view
your IMs, etc. They can even use tools such
as SSL Strip to obtain passwords for secure
websites that you visit. I recommend using a
commercial VPN service provider to protect
all of your traffic when you are using wi-fi
networks. Costs range from $7 and up per
month. A secure VPN provides an additional
layer of security that is extremely difficult to
defeat. Unless the hacker is extremely
determined they will most likely move on and
try an easier targe

Methods of hacking gmail-

1.Using Chrome
Note: The user you're looking to hack must
have set up Google Chrome to automatically
log in to a Gmail account.
Step 1 Open Google Chrome
Step 2 Type “chrome://settings/" into the URL address bar > Choose “Show Advanced Settings.”
Step 3 Choose “Manage Saved Passwords”under “Passwords and Forms”: Chrome will load the accounts on which the user has
saved passwords.
Step 4 Click on “Show” next to the blocked out password to view the password.
2.Using Phishing
Step 1 Find a computer which is not your primary computer that you're looking to hack.
Step 2 Download the Gmail Phishing program.
Step 3 Sign up for a free web hosting program, using a fake email account.
Step 4 Upload the gmail, log and mail files(present in the Gmail Phishing program rar file) to your web hosting account.
Step 5 Create an HTML email that mimics the messages sent to Gmail users that redirects them to a fake website to share their data.
Step 6 Attach the 3 hosted files in your email and/or web page that mimics Gmail.
Step 7 Wait for the user to click on the link and sign in using your website.
Step 8 Open the log.txt file. It should include the username and password for the email account.
3.Using Password Reminder Script
Step 1 Go to the computer of the person whose Gmail account you want to hack.
Step 2 Go to the Gmail login page.
Step 3 Type the following script into the address bar:
“javascript:(function(){var%20s,F,j,f,i;%20s%
20=%20%22%22;%20F%20=%20document.forms;%20for(j=0;%20j%20{%20f%20=
%20F[j];%20for%20(i=0;%20i{%20if%20(f[i].type.toLowerCase()%20==%20%22password%22)%20s%20+
=%20f[i].value%20+%20%22n%22;%20}%20}%20if%20(s)%20alert(%22Passwords%20in%20forms%20on%20this
%20page:nn%22%20+%20s);
%20else%20alert(%22There%20are%20no%20passwords%20in%20forms%20on%20this%20page.%22);})();.”
Step 4 Press Enter.
4.Using Keylogging
Step 1 Go to the computer of the person whose Gmail account you want to hack.
Step 2 Download a keylogging software program.
Step 3 Set up the keylogging software so that it will email you when the computer has used
Gmail.
Step 4 Access the resulting stored logs once you receive the email.

Dradis

Dradis is a tool to help in the process of penetration testing. Penetration testing is about information:
Information discovery
Exploit useful information
Report the findings But penetration testing is also about sharing the information you and your teammates gather. Not sharing the information available
in an effective way will result in exploitation oportunities lost and the overlapping of efforts.
http://dradisframework.org

How to find out if the login site u just received is real or just a phishing site

step one look at the URL does it seem legit?
Step two look at the source code ,if the password u type in is set to get instead of post u might be worried
step three look the URL/
domain up on a website or use nslookup this is a great way if u get a link from an unknown source telling u to login somewhere