Sql_Injection_LoginSQL injection is one of the most typical ways web applications and online platforms can be compromised. It doesn’t matter the language either – badly formatted, non-filtered code is easy to write in PHP, ASP.net, and so on.

SQL injection is a way for an attacker to gain access to your database by sending malformed queries through a web form or service that gets data from a database. Since most web applications talk to database, it’s not hard to find a website that has some sort of connectivity and thus is ripe for attack. Once an attacker finds a vulnerable form, it can be exploited to not only return sensitive information, but also offer a way for the attacker to gain access to the system to perhaps upload a file they can then access via a browser to own your machine.

As you can see in the video below, it’s very easy for attackers to visit your site, app, or platform and try to exploit your data. If you’ve never seen how this type of attack works, or just how easy it is to write code that’s insecure, have a watch:

What can you do?

There have been books written about how to write safe and secure code, but as a starting point, please make sure that if you access user input and then perform any type of data search with it, you filter and escape it to not allow bad characters through.

Second, validate that input to ensure only the type of data you are asking for is being entered in your eventual SQL query. If you are asking for a number, do a check that the data the user has entered is indeed a number.

This is only the tip of the iceberg, but will hopefully set you down the path of writing code if you currently aren’t using these techniques. There are many places to start, but OWASP is always a good resource. They have a page dedicated to preventing SQL injection techniques and attacks.

On June 1, Instagram put into effect changes in their API that have life more difficult for brands who manage content on their feeds and who often re-post user-created content.

Regrammed photo from @JohncarrolluI manage my University’s Instagram account, and have found apps like Repost to be very useful in my managing of our account. By tieing into the Instagram viewing API, I could easily see photos from students and campus groups we follow, or photos that have tagged us and then reshare them, with proper credit of course. This type of tool has made life easier for me to quickly and easily share content on our account.

Though announced late last year, Instagram has changed their API, especially their photo stream reading API, taking away access to the user’s photo stream. Since December, all apps accessing Instagram’s API must be approved and their access carefully reviewed. This is the recent update from Instagram:

Instagram Platform and documentation update. Apps created on or after Nov 17, 2015 will start in Sandbox Mode and function on newly updated API rate-limits and behaviors. Prior to going Live, and being able to be used by people other than the developers of the app, these apps will have to go through a new review process. Please read the API documentation or the Change Log for more details.

Any app created before Nov 17, 2015 will continue to function until June 1, 2016. On that date, the app will automatically be moved to Sandbox Mode if it wasn’t approved through the review process. The previous version of our documentation is still available here.

On one level, it makes sense: Instagram wants users browsing photos through their apps, not third-party apps. This way, Instagram can show users ads and integrate new features like the new, mostly disliked algorithmic feed. For the unscrupulous users, apps like Repost make it easy to steal and repurpose content, but that’s not the focus of this post.

Apps like Repost have had it difficult. If they are/were straight-up reposting apps like the one I used, they have had their access taken away or severely limited. Some have closed or pulled their apps, others have reworked their apps to still give some of the functionality they were offering, albeit nowhere near as easily as they did before. Gramfeed has pivoted to become Picodash, and will focus on the enterprise market.

Now, users must see a post they want to share in the Instagram app itself, select the sharing URL, and then open their reposting app, paste that URL into it, and then select the type of watermark they want to use. Then it saves the photo to the photostream and takes you back to Instagram to complete the posting process.

I feel this negatively affects smaller brands like ours who can’t afford the mega-enterprise tools some brands use to monitor, maintain, and share content to their fans. Tools like Repost were a nice workaround and made our lives just a little easier. I’ve written about the challenges of maintaining a brand on Instagram before, and changes like this continue to make the experience a frustrating one.

 

I’ve always wondered why Amazon has not jumped into the user-generated content game, especially when it comes to video, in an attempt to wrestle the crown from YouTube.

They have the audience base, brand recognition, and certainly the infrastructure to roll out such a platform. They are already in millions of homes natively with apps on platforms ranging from their own FireTV line of products, connected players like Roku, smart TVs, tablets, gaming machines like the PlayStation4, and more. Amazon also owns live-streaming giant, Twitch.

Recently, Amazon announced they will in fact start accepting and featuring user-generated videos on its platforms. More content, especially content it doesn’t need to produce or acquire, means more viewers, more hours watched, and, yes, more revenue for Amazon.

To its credit, Amazon is saying the program is for “professional video producers.” It’s not clear what that means and what the threshold is to be considered a professional producer, but for Amazon, it probably means having to not police user content uploads as much as YouTube does with programs like automatic content matching (which fails, a lot.)

youtubefaceJust last week, YouTube made headlines when its systems let the Fox television network use a clip a user created and uploaded in 2009 of the old Nintendo game Double Dribble. Fox used that clip in an episode of Family Guy, and then had the original clip taken down claiming copyright. Read more at TorrentFreak.

It’s not clear if this was malicious, or it’s another example of YouTube’s Content ID matching system run amok, but the message is clear: there has to be a good way to monitor and handle legitimate copyright claims without letting the big guys beat up on the little content producers. Are some claims legitimate? Yes, of course, but more and more, based on YouTubers posting updates, the system is busted and people can easily take advantage of it for monetary gain.

These are the types of challenges Amazon is going to have to figure out if it wants to win at this game.

The other trick is how are they going to monetize users and encourage them to upload content to this new service? YouTube, owned by Google, makes it easy to integrate Google’s AdSense platform right into the showing of videos1.

According to Bloomberg:

The new Amazon service gives video producers many ways to get paid. They can sell or rent their programs on Amazon, or make videos available to all Amazon customers (not just Prime subscribers) in an advertising-supported format. Another option: Provide videos to Amazon Prime members and get royalty payments based on how many times the content is streamed, or as part of an add-on subscription.

Will Amazon force producers to sign exclusive publishing agreements, or can producers continue to post their content on multiple sites? That remains to be seen – and if that revenue sharing will be enough to lure producers from other platforms and move to Amazon.

According to 3playmedia.com, Amazon is putting some big time money in front of producers:

The most striking incentive is Amazon’s offer to pay $1 million a month to the makers of the top 100 AVD programs viewed by Prime members.

What interests me are the requirements for publishing on Amazon’s platform: the videos must be in high definition, which makes sense with so many TV-based players, and second, all videos must be closed captioned. That’s a great move for accessibility, and I bet many producers are going to have to scramble to find a way to easily caption their videos.

1 – I use an ad blocker 99% of the time, so I rarely see how they are integrated ads into the viewing experience.