SQL Injection

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Details

Databases are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL, Web applications interact with databases to dynamically build customized data views for each user. A common example is a Web application that manages products. In one of the Web application's dynamic pages (such as ASP), users are able to enter a product identifier and view the product name and description. The request sent to the database to retrieve the product's name and description is implemented by the following SQL statement.

SELECT ProductName, ProductDescription
FROM Products
WHERE ProductNumber = ProductNumber

Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The string is built using server-side script languages such as ASP, JSP and CGI, and is then sent to the database server as a single SQL statement. The following example demonstrates an ASP code that generates a SQL query.

sql_query= "
SELECT ProductName, ProductDescription
FROM Products
WHERE ProductNumber = " & Request.QueryString("ProductID")

The call Request.QueryString("ProductID") extracts the value of the Web form variable ProductID so that it can be appended as the SELECT condition.

When a user enters the following URL:

http://www.mydomain.com/products/products.asp?productid=123

The corresponding SQL query is executed:

SELECT ProductName, ProductDescription
FROM Products
WHERE ProductNumber = 123

An attacker may abuse the fact that the ProductID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:

http://www.mydomain.com/products/products.asp?productid=123 or 1=1

The corresponding SQL Statement is:

SELECT ProductName, Product Description
FROM Products
WHERE ProductNumber = 123 OR 1=1

This condition would always be true and all ProductName and ProductDescription pairs are returned. The attacker can manipulate the application even further by inserting malicious commands. For example, an attacker can request the following URL:

http://www.mydomain.com/products/products.asp?productid=123; DROP
TABLE Products

In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.

An attacker may use SQL injection to retrieve data from other tables as well. This can be done using the SQL UNION SELECT statement. The UNION SELECT statement allows the chaining of two separate SQL SELECT queries that have nothing in common. For example, consider the following SQL query:

SELECT ProductName, ProductDescription
FROM Products
WHERE ProductID = '123' UNION SELECT Username, Password FROM Users;

The result of this query is a table with two columns, containing the results of the first and second queries, respectively. An attacker may use this type of SQL injection by requesting the following URL:

http://www.mydomain.com/products/products.asp?productid=123 UNION
SELECT user-name, password FROM USERS

The security model used by many Web applications assumes that an SQL query is a trusted command. This enables attackers to exploit SQL queries to circumvent access controls, authentication and authorization checks. In some instances, SQL queries may allow access to host operating system level commands. This can be done using stored procedures. Stored procedures are SQL procedures usually bundled with the database server. For example, the extended stored procedure xp_cmdshell executes operating system commands in the context of a Microsoft SQL Server. Using the same example, the attacker can set the value of ProductID to be "123;EXEC master..xp_cmdshell dir--", which returns the list of files in the current directory of the SQL Server process.

Prevention

The most common way of detecting SQL injection attacks is by looking for SQL signatures in the incoming HTTP stream. For example, looking for SQL commands such as UNION, SELECT or xp_. The problem with this approach is the very high rate of false positives. Most SQL commands are legitimate words that could normally appear in the incoming HTTP stream. This will eventually case the user to either disable or ignore any SQL alert reported. In order to overcome this problem to some extent, the product must learn where it should and shouldn't expect SQL signatures to appear. The ability to discern parameter values from the entire HTTP request and the ability to handle various encoding scenarios are a must in this case.

Imperva SecureSphere does much more than that. It observes the SQL communication and builds a profile consisting of all allowed SQL queries. Whenever an SQL injection attack occurs, SecureSphere can detect the unauthorized query sent to the database. SecureSphere can also correlate anomalies on the SQL stream with anomalies on the HTTP stream to accurately detect SQL injection attacks.

Another important capability that SecureSphere introduces is the ability to monitor a user's activity over time and to correlate various anomalies generated by the same user. For example, the occurrence of a certain SQL signature in a parameter value might not be enough to alert for SQL injection attack but the same signature in correlation with error responses or abnormal parameter size of even other signatures may indicate that this is an attempt at SQL injection attack.

SQL Injection Attacks - Are You Safe?

The database is the heart of most Web applications: it stores the data needed for the Websites and applications to "survive". It stores user credentials and sensitive financial information. It stores preferences, invoices, payments, inventory data, etc. It is through the combination of a database and Web scripting language that we as developers can produce sites that keep clients happy, pay the bills, and -- most importantly -- run our businesses.

But what happens when you realize that your critical data may not be safe? What happens when you realize that a new security bug has just been found? Most likely you either patch it or upgrade your database server to a later, bug-free version. Security flaws and patches are found all the time in both databases and programming languages, but I bet 9 out of 10 of you have never heard of SQL injection attacks...

In this article I'll attempt to shed some light on this under-documented attack, explaining what an SQL injection attack is and how you can prevent one from occurring within your company. By the end of this article you'll be able to identify situations where an SQL injection attack may allow unauthorized persons to penetrate your system, and you'll learn ways to fix existing code to prevent an SQL injection attack.

What is an SQL Injection Attack?

As you may know, SQL stands for Structured Query Language. It comes in many different dialects, most of which are based on the SQL-92 ANSI standard. An SQL query comprises one or more SQL commands, such as SELECT, UPDATE or INSERT. For SELECT queries, each query typically has a clause by which it returns data, for example:

SELECT * FROM Users WHERE userName = 'justin';

The clause in the SQL query above is WHERE username = 'justin', meaning that we only want the rows from the Users table returned where the userName field is equal to the string value of Justin.

It's these types of queries that make the SQL language so popular and flexible... it's also what makes it open to SQL injection attacks. As the name suggests, an SQL injection attack "injects" or manipulates SQL code. By adding unexpected SQL to a query, it is possible to manipulate a database in many unanticipated ways.

One of the most popular ways to validate a user on a Website is to provide them with an HTML form through which they can enter their username and password. Let's assume that we have the following simple HTML form:


Username:
Password:



When the form is submitted, the contents of the username and password fields are passed to the login.asp script, and are available to that script through the Request.Form collection. The easiest way to validate this user would be to build an SQL query, and then check that query against the database to see whether that user exists. We could create a login.asp script like this:

<%

dim userName, password, query
dim conn, rS

userName = Request.Form("userName")
password = Request.Form("password")

set conn = server.createObject("ADODB.Connection")
set rs = server.createObject("ADODB.Recordset")

query = "select count(*) from users where userName='" &
userName & "' and userPass='" & password & "'"

conn.Open "Provider=SQLOLEDB; Data Source=(local);
Initial Catalog=myDB; User Id=sa; Password="
rs.activeConnection = conn
rs.open query

if not rs.eof then
response.write "Logged In"
else
response.write "Bad Credentials"
end if

%>

In the example above, the user either sees "Logged In" if their credentials matched a record in the database, or "Bad Credentials" if they didn't. Before we continue, let's create the database that we have queried in the sample code.

Hacking A Website: SQL Injection Attack !

SQL Injection Attacks by Example

"SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises.

We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. But the fact that we were successful does suggest that we were not entirely misguided.

There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.

The Target Intranet

This appeared to be an entirely custom application, and we had no prior knowledge of the application nor access to the source code: this was a "blind" attack. A bit of poking showed that this server ran Microsoft's IIS 6 along with ASP.NET, and this suggested that the database was Microsoft's SQL server: we believe that these techniques can apply to nearly any web application backed by any SQL server.

The login page had a traditional username-and-password form, but also an email-me-my-password link; the latter proved to be the downfall of the whole system.

When entering an email address, the system presumably looked in the user database for that email address, and mailed something to that address. Since my email address is not found, it wasn't going to send me anything.

So the first test in any SQL-ish form is to enter a single quote as part of the data: the intention is to see if they construct an SQL string literally without sanitizing. When submitting the form with a quote in the email address, we get a 500 error (server failure), and this suggests that the "broken" input is actually being parsed literally. Bingo.

We speculate that the underlying SQL code looks something like this:

SELECT fieldlist
FROM table
WHERE field = '$EMAIL';

Here, $EMAIL is the address submitted on the form by the user, and the larger query provides the quotation marks that set it off as a literal string. We don't know the specific names of the fields or table involved, but we do know their nature, and we'll make some good guesses later.

When we enter steve@unixwiz.net' - note the closing quote mark - this yields constructed SQL:

SELECT fieldlist
FROM table
WHERE field = 'steve@unixwiz.net'';

when this is executed, the SQL parser find the extra quote mark and aborts with a syntax error. How this manifests itself to the user depends on the application's internal error-recovery procedures, but it's usually different from "email address is unknown". This error response is a dead giveaway that user input is not being sanitized properly and that the application is ripe for exploitation.

Since the data we're filling in appears to be in the WHERE clause, let's change the nature of that clause in an SQL legal way and see what happens. By entering anything' OR 'x'='x, the resulting SQL is:

SELECT fieldlist
FROM table
WHERE field = 'anything' OR 'x'='x';

Because the application is not really thinking about the query - merely constructing a string - our use of quotes has turned a single-component WHERE clause into a two-component one, and the 'x'='x' clause is guaranteed to be true no matter what the first clause is (there is a better approach for this "always true" part that we'll touch on later).

But unlike the "real" query, which should return only a single item each time, this version will essentially return every item in the members database. The only way to find out what the application will do in this circumstance is to try it. Doing so, we were greeted with:

Your login information has been mailed to random.person@example.com.

Our best guess is that it's the first record returned by the query, effectively an entry taken at random. This person really did get this forgotten-password link via email, which will probably come as surprise to him and may raise warning flags somewhere.

We now know that we're able to manipulate the query to our own ends, though we still don't know much about the parts of it we cannot see. But we have observed three different responses to our various inputs:

* "Your login information has been mailed to email"
* "We don't recognize your email address"
* Server error

The first two are responses to well-formed SQL, while the latter is for bad SQL: this distinction will be very useful when trying to guess the structure of the query.

Schema field mapping

The first steps are to guess some field names: we're reasonably sure that the query includes "email address" and "password", and there may be things like "US Mail address" or "userid" or "phone number". We'd dearly love to perform a SHOW TABLE, but in addition to not knowing the name of the table, there is no obvious vehicle to get the output of this command routed to us.

So we'll do it in steps. In each case, we'll show the whole query as we know it, with our own snippets shown specially. We know that the tail end of the query is a comparison with the email address, so let's guess email as the name of the field:

SELECT fieldlist
FROM table
WHERE field = 'x' AND email IS NULL; --';

The intent is to use a proposed field name (email) in the constructed query and find out if the SQL is valid or not. We don't care about matching the email address (which is why we use a dummy 'x'), and the -- marks the start of an SQL comment. This is an effective way to "consume" the final quote provided by application and not worry about matching them.

If we get a server error, it means our SQL is malformed and a syntax error was thrown: it's most likely due to a bad field name. If we get any kind of valid response, we guessed the name correctly. This is the case whether we get the "email unknown" or "password was sent" response.

Note, however, that we use the AND conjunction instead of OR: this is intentional. In the SQL schema mapping phase, we're not really concerned with guessing any particular email addresses, and we do not want random users inundated with "here is your password" emails from the application - this will surely raise suspicions to no good purpose. By using the AND conjunction with an email address that couldn't ever be valid, we're sure that the query will always return zero rows and never generate a password-reminder email.

Submitting the above snippet indeed gave us the "email address unknown" response, so now we know that the email address is stored in a field email. If this hadn't worked, we'd have tried email_address or mail or the like. This process will involve quite a lot of guessing.

Next we'll guess some other obvious names: password, user ID, name, and the like. These are all done one at a time, and anything other than "server failure" means we guessed the name correctly.

SELECT fieldlist
FROM table
WHERE email = 'x' AND userid IS NULL; --';

As a result of this process, we found several valid field names:

* email
* passwd
* login_id
* full_name

There are certainly more (and a good source of clues is the names of the fields on forms), but a bit of digging did not discover any. But we still don't know the name of the table that these fields are found in - how to find out?
Finding the table name

The application's built-in query already has the table name built into it, but we don't know what that name is: there are several approaches for finding that (and other) table names. The one we took was to rely on a subselect.

A standalone query of

SELECT COUNT(*) FROM tabname

Returns the number of records in that table, and of course fails if the table name is unknown. We can build this into our string to probe for the table name:

SELECT email, passwd, login_id, full_name
FROM table
WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';

We don't care how many records are there, of course, only whether the table name is valid or not. By iterating over several guesses, we eventually determined that members was a valid table in the database. But is it the table used in this query? For that we need yet another test using table.field notation: it only works for tables that are actually part of this query, not merely that the table exists.

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' AND members.email IS NULL; --';

When this returned "Email unknown", it confirmed that our SQL was well formed and that we had properly guessed the table name. This will be important later, but we instead took a different approach in the interim.
Finding some users

At this point we have a partial idea of the structure of the members table, but we only know of one username: the random member who got our initial "Here is your password" email. Recall that we never received the message itself, only the address it was sent to. We'd like to get some more names to work with, preferably those likely to have access to more data.

The first place to start, of course, is the company's website to find who is who: the "About us" or "Contact" pages often list who's running the place. Many of these contain email addresses, but even those that don't list them can give us some clues which allow us to find them with our tool.

The idea is to submit a query that uses the LIKE clause, allowing us to do partial matches of names or email addresses in the database, each time triggering the "We sent your password" message and email. Warning: though this reveals an email address each time we run it, it also actually sends that email, which may raise suspicions. This suggests that we take it easy.

We can do the query on email name or full name (or presumably other information), each time putting in the % wildcards that LIKE supports:

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' OR full_name LIKE '%Bob%';

Keep in mind that even though there may be more than one "Bob", we only get to see one of them: this suggests refining our LIKE clause narrowly.

Ultimately, we may only need one valid email address to leverage our way in.
Brute-force password guessing

One can certainly attempt brute-force guessing of passwords at the main login page, but many systems make an effort to detect or even prevent this. There could be logfiles, account lockouts, or other devices that would substantially impede our efforts, but because of the non-sanitized inputs, we have another avenue that is much less likely to be so protected.

We'll instead do actual password testing in our snippet by including the email name and password directly. In our example, we'll use our victim, bob@example.com and try multiple passwords.

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'bob@example.com' AND passwd = 'hello123';

This is clearly well-formed SQL, so we don't expect to see any server errors, and we'll know we found the password when we receive the "your password has been mailed to you" message. Our mark has now been tipped off, but we do have his password.

This procedure can be automated with scripting in perl, and though we were in the process of creating this script, we ended up going down another road before actually trying it.
The database isn't readonly

So far, we have done nothing but query the database, and even though a SELECT is readonly, that doesn't mean that SQL is. SQL uses the semicolon for statement termination, and if the input is not sanitized properly, there may be nothing that prevents us from stringing our own unrelated command at the end of the query.

The most drastic example is:

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x'; DROP TABLE members; --'; -- Boom!

The first part provides a dummy email address -- 'x' -- and we don't care what this query returns: we're just getting it out of the way so we can introduce an unrelated SQL command. This one attempts to drop (delete) the entire members table, which really doesn't seem too sporting.

This shows that not only can we run separate SQL commands, but we can also modify the database. This is promising.
Adding a new member

Given that we know the partial structure of the members table, it seems like a plausible approach to attempt adding a new record to that table: if this works, we'll simply be able to login directly with our newly-inserted credentials.

This, not surprisingly, takes a bit more SQL, and we've wrapped it over several lines for ease of presentation, but our part is still one contiguous string:

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';
INSERT INTO members ('email','passwd','login_id','full_name')
VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--';

Even if we have actually gotten our field and table names right, several things could get in our way of a successful attack:

1. We might not have enough room in the web form to enter this much text directly (though this can be worked around via scripting, it's much less convenient).
2. The web application user might not have INSERT permission on the members table.
3. There are undoubtedly other fields in the members table, and some may require initial values, causing the INSERT to fail.
4. Even if we manage to insert a new record, the application itself might not behave well due to the auto-inserted NULL fields that we didn't provide values for.
5. A valid "member" might require not only a record in the members table, but associated information in other tables (say, "accessrights"), so adding to one table alone might not be sufficient.

In the case at hand, we hit a roadblock on either #4 or #5 - we can't really be sure -- because when going to the main login page and entering in the above username + password, a server error was returned. This suggests that fields we did not populate were vital, but nevertheless not handled properly.

A possible approach here is attempting to guess the other fields, but this promises to be a long and laborious process: though we may be able to guess other "obvious" fields, it's very hard to imagine the bigger-picture organization of this application.

We ended up going down a different road.
Mail me a password

We then realized that though we are not able to add a new record to the members database, we can modify an existing one, and this proved to be the approach that gained us entry.

From a previous step, we knew that bob@example.com had an account on the system, and we used our SQL injection to update his database record with our email address:

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';
UPDATE members
SET email = 'steve@unixwiz.net'
WHERE email = 'bob@example.com';

After running this, we of course received the "we didn't know your email address", but this was expected due to the dummy email address provided. The UPDATE wouldn't have registered with the application, so it executed quietly.

We then used the regular "I lost my password" link - with the updated email address - and a minute later received this email:

From: system@example.com
To: steve@unixwiz.net
Subject: Intranet login

This email is in response to your request for your Intranet log in information.
Your User ID is: bob
Your password is: hello

Now it was now just a matter of following the standard login process to access the system as a high-ranked MIS staffer, and this was far superior to a perhaps-limited user that we might have created with our INSERT approach.

We found the intranet site to be quite comprehensive, and it included - among other things - a list of all the users. It's a fair bet that many Intranet sites also have accounts on the corporate Windows network, and perhaps some of them have used the same password in both places. Since it's clear that we have an easy way to retrieve any Intranet password, and since we had located an open PPTP VPN port on the corporate firewall, it should be straightforward to attempt this kind of access.

We had done a spot check on a few accounts without success, and we can't really know whether it's "bad password" or "the Intranet account name differs from the Windows account name". But we think that automated tools could make some of this easier.
Other Approaches

In this particular engagement, we obtained enough access that we did not feel the need to do much more, but other steps could have been taken. We'll touch on the ones that we can think of now, though we are quite certain that this is not comprehensive.

We are also aware that not all approaches work with all databases, and we can touch on some of them here.

Use xp_cmdshell
Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable.
What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users.
Map out more database structure
Though this particular application provided such a rich post-login environment that it didn't really seem necessary to dig further, in other more limited environments this may not have been sufficient.
Being able to systematically map out the available schema, including tables and their field structure, can't help but provide more avenues for compromise of the application.
One could probably gather more hints about the structure from other aspects of the website (e.g., is there a "leave a comment" page? Are there "support forums"?). Clearly, this is highly dependent on the application and it relies very much on making good guesses.

Mitigations

We believe that web application developers often simply do not think about "surprise inputs", but security people do (including the bad guys), so there are three broad approaches that can be applied here.

Sanitize the input
It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them.
The language of the web is full of special characters and strange markup (including alternate ways of representing the same characters), and efforts to authoritatively identify all "bad stuff" are unlikely to be successful.
Instead, rather than "remove known bad data", it's better to "remove everything but known good data": this distinction is crucial. Since - in our example - an email address can contain only these characters:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
@.-_+

There is really no benefit in allowing characters that could not be valid, and rejecting them early - presumably with an error message - not only helps forestall SQL Injection, but also catches mere typos early rather than stores them into the database.

Sidebar on email addresses

It's important to note here that email addresses in particular are troublesome to validate programmatically, because everybody seems to have his own idea about what makes one "valid", and it's a shame to exclude a good email address because it contains a character you didn't think about.

The only real authority is RFC 2822 (which encompasses the more familiar RFC822), and it includes a fairly expansive definition of what's allowed. The truly pedantic may well wish to accept email addresses with ampersands and asterisks (among other things) as valid, but others - including this author - are satisfied with a reasonable subset that includes "most" email addresses.

Those taking a more restrictive approach ought to be fully aware of the consequences of excluding these addresses, especially considering that better techniques (prepare/execute, stored procedures) obviate the security concerns which those "odd" characters present.

Be aware that "sanitizing the input" doesn't mean merely "remove the quotes", because even "regular" characters can be troublesome. In an example where an integer ID value is being compared against the user input (say, a numeric PIN):

SELECT fieldlist
FROM table
WHERE id = 23 OR 1=1; -- Boom! Always matches!

In practice, however, this approach is highly limited because there are so few fields for which it's possible to outright exclude many of the dangerous characters. For "dates" or "email addresses" or "integers" it may have merit, but for any kind of real application, one simply cannot avoid the other mitigations.
Escape/Quotesafe the input
Even if one might be able to sanitize a phone number or email address, one cannot take this approach with a "name" field lest one wishes to exclude the likes of Bill O'Reilly from one's application: a quote is simply a valid character for this field.
One includes an actual single quote in an SQL string by putting two of them together, so this suggests the obvious - but wrong! - technique of preprocessing every string to replicate the single quotes:

SELECT fieldlist
FROM customers
WHERE name = 'Bill O''Reilly'; -- works OK

However, this naïve approach can be beaten because most databases support other string escape mechanisms. MySQL, for instance, also permits \' to escape a quote, so after input of \'; DROP TABLE users; -- is "protected" by doubling the quotes, we get:

SELECT fieldlist
FROM customers
WHERE name = '\''; DROP TABLE users; --'; -- Boom!

The expression '\'' is a complete string (containing just one single quote), and the usual SQL shenanigans follow. It doesn't stop with backslashes either: there is Unicode, other encodings, and parsing oddities all hiding in the weeds to trip up the application designer.
Getting quotes right is notoriously difficult, which is why many database interface languages provide a function that does it for you. When the same internal code is used for "string quoting" and "string parsing", it's much more likely that the process will be done properly and safely.
Some examples are the MySQL function mysql_real_escape_string() and perl DBD method $dbh->quote($value).
These methods must be used.
Use bound parameters (the PREPARE statement)
Though quotesafing is a good mechanism, we're still in the area of "considering user input as SQL", and a much better approach exists: bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form.
Later, this prepared query is "executed" with a list of parameters:
Example in perl

$sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;");

$sth->execute($email);

Thanks to Stefan Wagner, this demonstrates bound parameters in Java:
Insecure version

Statement s = connection.createStatement();
ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = "
+ formField); // *boom*

Secure version

PreparedStatement ps = connection.prepareStatement(
"SELECT email FROM member WHERE name = ?");
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();

Here, $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.
Limit database permissions and segregate users
In the case at hand, we observed just two interactions that are made not in the context of a logged-in user: "log in" and "send me password". The web application ought to use a database connection with the most limited rights possible: query-only access to the members table, and no access to any other table.
The effect here is that even a "successful" SQL injection attack is going to have much more limited success. Here, we'd not have been able to do the UPDATE request that ultimately granted us access, so we'd have had to resort to other avenues.
Once the web application determined that a set of valid credentials had been passed via the login form, it would then switch that session to a database connection with more rights.
It should go almost without saying that sa rights should never be used for any web-based application.
Use stored procedures for database access
When the database server supports them, use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely (assuming the stored procedures themselves are written properly).
By encapsulating the rules for a certain action - query, update, delete, etc. - into a single procedure, it can be tested and documented on a standalone basis and business rules enforced (for instance, the "add new order" procedure might reject that order if the customer were over his credit limit).
For simple queries this might be only a minor benefit, but as the operations become more complicated (or are used in more than one place), having a single definition for the operation means it's going to be more robust and easier to maintain.
Note: it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection - it's only proper binding with prepare/execute or direct SQL statements with bound variables that provide this protection.
Isolate the webserver
Even having taken all these mitigation steps, it's nevertheless still possible to miss something and leave the server open to compromise. One ought to design the network infrastructure to assume that the bad guy will have full administrator access to the machine, and then attempt to limit how that can be leveraged to compromise other things.
For instance, putting the machine in a DMZ with extremely limited pinholes "inside" the network means that even getting complete control of the webserver doesn't automatically grant full access to everything else. This won't stop everything, of course, but it makes it a lot harder.
Configure error reporting
The default error reporting for some frameworks includes developer debugging information, and this cannot be shown to outside users. Imagine how much easier a time it makes for an attacker if the full query is shown, pointing to the syntax error involved.
This information is useful to developers, but it should be restricted - if possible - to just internal users.

Note that not all databases are configured the same way, and not all even support the same dialect of SQL (the "S" stands for "Structured", not "Standard"). For instance, most versions of MySQL do not support subselects, nor do they usually allow multiple statements: these are substantially complicating factors when attempting to penetrate a network.

We'd like to emphasize that though we chose the "Forgotten password" link to attack in this particular case, it wasn't really because this particular web application feature is dangerous. It was simply one of several available features that might have been vulnerable, and it would be a mistake to focus on the "Forgotten password" aspect of the presentation.

This Tech Tip has not been intended to provide comprehensive coverage on SQL injection, or even a tutorial: it merely documents the process that evolved over several hours during a contracted engagement. We've seen other papers on SQL injection discuss the technical background, but still only provide the "money shot" that ultimately gained them access.

But that final statement required background knowledge to pull off, and the process of gathering that information has merit too. One doesn't always have access to source code for an application, and the ability to attack a custom application blindly has some value.

Thanks to David Litchfield and Randal Schwartz for their technical input to this paper, and to the great Chris Mospaw for graphic design (© 2005 by Chris Mospaw, used with permission).
Other resources

* (more) Advanced SQL Injection, Chris Anley, Next Generation Security Software.
* SQL Injection walkthrough, SecuriTeam
* GreenSQL, an open-source database firewall that tries to protect against SQL injection errors — note; I don't have any direct experience with this tool
* "Exploits of a Mom" — Very good xkcd cartoon about SQL injection
* SQL Injection Cheat Sheet — by Ferruh Mavituna

Last modified: Wed Oct 10 06:28:06 PDT 2007

.NET Encryption Simplified

Introduction
Microsoft's .NET framework has robust support for encryption in the System.Security.Cryptography namespace. Everything you need to perform encryption is available in that class, but it's difficult to understand unless you have a firm grasp of cryptographic theory. Over the last four months, I've struggled with the concepts and theory behind encrypting and decrypting data. I've wrapped all my derived knowledge into a class I call Encryption. This class is heavily documented, string oriented, and most of all, simple! It's ideal for learning more about encryption.
Background
There are three essential cryptographic concepts represented in the Encryption namespace. It's important that every developer understands these concepts before proceeding any further:
Hashing
Hashes aren't encryption, per se, but they are fundamental to all other encryption operations. A hash is a data fingerprint - a tiny set of bytes that represents the uniqueness of a much larger block of bytes. Like fingerprints, no two should ever be alike, and a matching fingerprint is conclusive proof of identity. A full discussion of hashes is outside the scope of this article, but I highly recommend Steve Friedl's Illustrated Guide to Cryptographic Hashes for more background.
Symmetric Encryption
In symmetric encryption, a single key is used for encrypting and decrypting the data. This type of encryption is quite fast, but has a severe problem: in order to share a secret with someone, they have to know your key. This implies a very high level of trust between people sharing secrets; if an unscrupulous person has your key-- or if your key is intercepted by a spy-- they can decrypt all the messages you send using that key!
Asymmetric Encryption
Asymmetric encryption solves the trust problem inherent in symmetric encryption by using two different keys: a public key for encrypting messages, and a private key for decrypting messages. This makes it possible to communicate in secrecy with people you don't fully trust. If an unscrupulous person has your public key, who cares? The public key is only good for encryption; it's useless for decryption. They can't decrypt any of your messages! However, asymmetric encryption is very slow. It's not recommended for use on more than roughly 1 kilobyte of data.
These three concepts are heavily intertwined and always seen together in modern cryptography. They have different strengths and weaknesses; combining them offers a much higher level of security than can be achieved using a single method alone. For example, when digitally transmitting a check to your bank, all three of these methods are used:
Image reprinted from Entrust's Introduction to Cryptography and Digital Signatures PDF.
A hash of the check is calculated.
The hash is encrypted with our public key using asymmetric encryption.
The encrypted hash is appended to the document.
The document is encrypted using a unique one-time symmetric encryption key.
The one-time symmetric encryption key is encrypted with the recipient's public key using asymmetric encryption.
The encrypted key and encrypted document are transmitted to the recipient.
In order to open the check, these steps are simply performed in the reverse order by the recipient. Note that if any of these steps were missing, the transaction would have significant weaknesses that could be exploited!
Encryption.Hash
Let's start with the simplest operation-- Hashing the string "Hash Browns":Dim h As New Encryption.Hash(Encryption.Hash.Provider.CRC32)
Dim d As New Encryption.Data("Hash Browns")
h.Calculate(d)
Console.WriteLine(".ToHex = '" & h.Value.ToHex & "'")
Console.WriteLine(".ToBase64 = '" & h.Value.ToBase64 & "'")
Console.WriteLine(".ToString = '" & h.Value.ToString & "'")
The unique data fingerprint of the string "Hash Browns" using the CRC32 algorithm is 32 bits or 4 bytes in length. We have a custom data type, Encryption.Data, to aid us in converting those 4 bytes to and from familiar string representations:.ToHex = 'FDBFBC6D'
.ToBase64 = '/b+8bQ=='
.ToString = 'y��m'
It doesn't make much sense to display an array of raw bytes using the .ToString method; that's shown only for illustrative purposes. You'll want raw byte values displayed either as Hexadecimal or Base64 encoded. If necessary, you can get to the raw byte representation via the Encryption.Data.Bytes array.
The CRC32 hash is not a good choice for security work; it's optimized for speed and detection of machine transmission errors. It would be relatively easy for a knowledgeable human hacker to generate a string that produces the same CRC32 hash. Let's take a look at a slower, but more secure hash: SHA1.Dim h As New Encryption.Hash(Encryption.Hash.Provider.SHA1)
Dim d As New Encryption.Data("Hash Browns")
Dim salt As New Encryption.Data("NaCl")
h.Calculate(d, salt)
Console.WriteLine(h.Value.ToHex)
Console.WriteLine(h.Value.ToBase64)
SHA1 produces a much longer and more tamper-resistant 160-bit hash code..ToHex = '95CF26B3BB0.F377347B6D414951456A16DD0CF5F'
.ToBase64 = 'lc8ms7sPN3NHttQUlRRWoW3Qz18='
Notice the salt I added? Hashes are commonly used to avoid plain-text storage of passwords in a database. You calculate the hash of the password and store the hash instead of the actual password. When the user types in their password, hash it, then compare it against the stored hash in the database. It's clever, but there is a vulnerability: you can still mount a dictionary attack by hashing the English dictionary and matching it against the hashes stored in the database. We can prevent this by adding a salt-- a unique string-- to every password before hashing it. You'd typically salt with some arbitrary value from the same record, such as the record ID, user's birthday, or a GUID. It doesn't really matter what your salt is, as long as it makes the values unique. By adding the salt as shown above, we are effectively hashing the string "NaClHash Browns" instead of "Hash Browns". Good luck finding "NaClHash" in a dictionary!
Also note that string representations aren't particularly efficient; it takes 40 characters to represent the 160 bit (20 byte) hash in string using Hexadecimal, and 28 characters to represent that same hash using Base64 encoding. If you don't need to display your data in semi-human readable format, stick to binary formats. But the textual representations sure are convenient for use in XML or .config files!
We're not limited to Encryption.Data byte arrays of fixed length. We can also calculate the hash of an IO.Stream of any arbitrary size:Dim sr As New IO.StreamReader("c:\test.txt")
Dim h As New Encryption.Hash(Encryption.Hash.Provider.MD5)
Console.WriteLine(".ToHex = '" & h.Calculate(sr.BaseStream).ToHex & "'")
sr.Close()
So the file test.txt has an MD5 hash of:.ToHex = '92C7C0F251D98DEA2ACC49B21CF08070'
Let's see what happens if we add a single space character to test.txt, and hash it again:.ToHex = 'FADECF02C2ABDC7B65EBF2382E8AC756'
One of the defining properties of a hash is that small changes in the source bytes produce big differences in the resulting hash bytes.
All hashes have the same purpose: to digitally fingerprint code. However, there are different speed and security tradeoffs for each Hash.Provider:
Provider
Length (bits)
Security
Speed
Hash.Provider.CRC32
32
low
fast
Hash.Provider.SHA1
160
moderate
medium
Hash.Provider.SHA256
256
high
slow
Hash.Provider.SHA384
384
high
slow
Hash.Provider.SHA512
512
extreme
slow
Hash.Provider.MD5
128
moderate
medium
Encryption.Symmetric
Symmetric encryption is the most familiar kind of encryption; you have a single secret key which is used to both encrypt and decrypt:Dim sym As New Encryption.Symmetric(Encryption.Symmetric.Provider.Rijndael)
Dim key As New Encryption.Data("My Password")
Dim encryptedData As Encryption.Data
encryptedData = sym.Encrypt(New Encryption.Data("Secret Sauce"), key)
Dim base64EncryptedString as String = encryptedData.ToBase64
We now have some Rijndael encrypted bytes, expressed as a Base64 string. Let's decrypt them:Dim sym As New Encryption.Symmetric(Encryption.Symmetric.Provider.Rijndael)
Dim key As New Encryption.Data("My Password")
Dim encryptedData As New Encryption.Data
encryptedData.Base64 = base64EncryptedString
Dim decryptedData As Encryption.Data
decryptedData = sym.Decrypt(encryptedData, key)
Console.WriteLine(decryptedData.ToString)
Like the Encryption.Hash class, this also works for any arbitrarily-sized IO.Stream as well as the fixed size Encryption.Data:Dim sym As New Encryption.Symmetric(Encryption.Symmetric.Provider.TripleDES)
Dim key As New Encryption.Data("My Password")
Dim fs As New IO.FileStream("c:\test.txt", IO.FileMode.Open,
IO.FileAccess.Read)
Dim br As New IO.BinaryReader(fs)
Dim encryptedData As Encryption.Data
encryptedData = sym.Encrypt(br.BaseStream, key)
br.Close()
Dim sym2 As New Encryption.Symmetric(Encryption.Symmetric.Provider.TripleDES)
Dim decryptedData As Encryption.Data
decryptedData = sym2.Decrypt(encryptedData, key)
There are a few things to remember when using the Encryption.Symmetric class:
All symmetric encryption is currently performed in memory. Be careful when encrypting extremely large files!
.NET always chooses the largest available key size by default. If you want to manually specify a smaller key size, use the .KeySizeBytes or .KeySizeBits properties.
The key is optional in the .Encrypt method. If you don't provide a key, a key of appropriate length will be auto generated for you and it can be retrieved via the .Key property. It won't be fun to pronounce, because it'll be a randomly generated array of bytes, but it'll sure be hard to guess!
The .InitializationVector property is completely optional. The symmetric algorithms are block-oriented and seed the next block with the results from the previous block. This means the very first block has no seed, so that's where the IV comes in. It's annoying to have to remember both a password and an initialization vector to decrypt your data, and I don't think this is a serious weakness, so I recommend accepting the default initialization vector.
.NET provides four different Symmetric.Provider algorithms; I would avoid the ones with shorter keys and known weaknesses:
Provider
Length (bits)
Known Vulnerabilities
Symmetric.Provider.DES
64
yes
Symmetric.Provider.RC2
40-128
yes
Symmetric.Provider.Rijndael
128, 192, 256
no
Symmetric.Provider.TripleDES
128, 192
no
Encryption.Asymmetric
Asymmetric encryption requires the use of two keys: one public, one private, together known as a "keyset". Let's generate a new keyset and encrypt some data:Dim asym As New Encryption.Asymmetric
Dim pubkey As New Encryption.Asymmetric.PublicKey
Dim privkey As New Encryption.Asymmetric.PrivateKey
asym.GenerateNewKeyset(pubkey, privkey)
Dim secret As String = "ancient chinese"
Dim encryptedData As Encryption.Data
encryptedData = asym.Encrypt(New Encryption.Data(secret), pubkey)
Dim decryptedData As Encryption.Data
Dim asym2 As New Encryption.Asymmetric
decryptedData = asym2.Decrypt(encryptedData, privkey)
Note that we used the public key to encrypt, and the private key to decrypt.
Although you can certainly generate as many new public/private keysets as you want, you'll typically load an existing keyset. To facilitate loading and saving of keys, the Encryption.Asymmetric.PublicKey and Encryption.Asymmetric.PrivateKey classes support XML serialization via the .ToXml and .FromXml methods. They also support exporting to config file format via the .ToConfigSection method, which returns a string suitable for cutting and pasting into the section of your *.config file:









The private key is a superset of the public key; it can be used for both encryption and decryption, whereas the public key can only be used for encryption. Once a key is placed in the section of your .config file, it will be used automatically; you no longer have to specify a private key in the .Decrypt method:Dim encryptedData As Encryption.Data
Dim decryptedData As Encryption.Data
Dim asym As New Encryption.Asymmetric
Dim asym2 As New Encryption.Asymmetric
Dim secret As String = "Michael Bolton"
encryptedData = asym.Encrypt(New Encryption.Data(secret))
decryptedData = asym2.Decrypt(encryptedData)
Console.WriteLine(decryptedData.ToString)
Note that we didn't specify any keys here; everything was automatically absorbed from the section of the config file.
There are a few caveats when using Encryption.Asymmetric:
Microsoft's implementation of asymmetric encryption offers no choice of providers: you'll get RSA and you'll like it! You do get a choice of key sizes, though-- anywhere from 384 bits to 16,384 bits in steps of 8 bits. If you don't specify a size in the constructor, you'll get 1,024 bits by default. That should be more than enough for most uses.
Asymmetric encryption is designed for small inputs. This is partly because asymmetric encryption is brutally slow, but it's also by design: depending on the key size you choose, you'll get an exception if you try to encrypt something too big! There are workarounds, but I don't recommend them. Follow best practices as defined at the top of this article; use asymmetric encryption to protect short stuff, like symmetric passwords or hashes.
The Annoying File Dependency in Encryption.Asymmetric
Unfortunately, Microsoft chose to provide some System.Security.Cryptography functionality through the existing COM-based CryptoAPI. Typically this is no big deal; lots of things in .NET are delivered via COM interfaces. However, there is one destructive side effect in this case: asymmetric encryption, which in my opinion should be an entirely in-memory operation, has a filesystem "key container" dependency:
Even worse, this weird little "key container" file usually goes to the current user's folder! I have specified a machine folder as documented in this Microsoft knowledge base article. Every time we perform an asymmetric encryption operation, a file is created and then destroyed in the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. It is simply unavoidable, which you can see for yourself by opening this folder and watching what happens to it when you make asymmetric encryption calls. Make sure whatever account .NET is running as (ASP.NET, etc.) has permission to this folder!
Conclusion
Encryption is a deep, complicated subject. I hope this article and the accompanying classes made it at least a little more approachable.
Please don't hesitate to provide feedback, good or bad! If you enjoyed this article, you may also like my other articles as well.
History
Tuesday, April 19th, 2005
Published.
Sunday, May 1st, 2005
Minor bugfixes to article code.
Corrected issue with byte array nulls and Encoding.GetString in C#.
Monday, January 29th, 2007
Straight port to .NET 2.0 and Visual Studio 2005.

Reference Link :http://www.codeproject.com/KB/security/SimpleEncryption.aspx

Blogger Help - How To Submit Your Blogs Sitemap To Google

Generally speaking, sitemap is simply a website-map, showing all the pages and sub-pages of a website or a blog, which guides both visitors and search engines like Google, Yahoo etc. to roam around your blog. And when search engines roam around your blog, it is called indexing of your website. And as "indexing" is one of the most important aspects of SEO, so submission of sitemaps to Google/Yahoo/Bing is very very important.

[check out this post on how to submit your sitemap to Yahoo and Bing]

For visitors, sitemap (when displayed in HTML format - you can create and download your Blog*Spot sitemap in HTML format from here, then upload this html file to MyDataNest and finally link it from your blog), shows how the pages and their subpages are interconnected, making it easier for them to navigate around big websites.

And being a webmaster/blogger you must have a sitemap, as it's a search engine optimization tool too, that helps you to get more traffic from the search engines.

Now if you are using blogger as your blogging platform, then there is no direct method to simply upload an xml or HTML sitemap file to your blog. So you can follow these steps to add a site map to your blogspot blog:

STEP #1
Go to Google Webmaster Tools website. [Here]
STEP #2
Login and then at the top (Add Site), type your blog's url :

STEP #3
Now you have to verify that you own that blog, so click on Verify your site, and select the "Add a Meta Tag" option.

Then copy the meta tag into your blog's "Edit HTML" section of "Layout" tab, and save the template.


STEP #4
Then click on "Verify" at the bottom (in Google Webmaster account). So a message will be displayed:

You've successfully verified http://bikes.bloggerstop.net/.

STEP #5
Now click on Sitemaps link present at left side. Then click on "Add a Sitemap"
STEP #6
In "Choose Type", select "Add General Web Sitemap"


STEP #7
Then in the "My Sitemap url is" blank, type this:
atom.xml?redirect=false&start-index=1&max-results=100 (If you have up to 100 posts)
And if you have more than 100 articles or posts, then you have to add more sitemaps, after you have already added the previous one, like these:
atom.xml?redirect=false&start-index=101&max-results=100 (If you have up to 200 posts)
atom.xml?redirect=false&start-index=201&max-results=100 (If you have up to 300 posts)
atom.xml?redirect=false&start-index=301&max-results=100 (If you have up to 400 posts).

That's it, Now you can revisit your account after some days, and see a number of statistics provided by some of which are even better than Google analytics, as you can see the Google pagerank information for your blog's different pages, given by Google itself.

Blogger Blogspot SEO Tips and Tricks

Major List which is must follow for Blogspot SEO:

• Adding Your Blogger Blog to Major Search Engines
• Optimizing Blogger Post Titles
• Utilising Meta Keywords and a Meta Description
• Using Keywords in Alt Tags and Image Titles
• Using Target Keywords in Your Post Content
• Optimizing Blogger Title Tags
• Optimizing Your Blogger Permalinks
• Making Use of HTML Heading Tags Within Posts and Post Titles
• Adding Breadcrumb Navigation to your Blogger Blog

Get Your Blog Listed by Major Search Engines
Getting listed in the major search engines is a must if you want to get traffic from search engines. I have written several in depth articles about how to add a sitemap to major search engines and how to add your blog to Google, Yahoo and MSN so I will not repeat myself. Follow these articles for step by step walkthroughs


Optimize Your Blogger Post Titles
Major search engines lend a lot of weight to titles so it is important that you craft your post titles carefully. To optimize your post titles make them keyword rich and ensure the title clearly explains what the blog post is about. Try to put your keywords at the beginning of your title for best results and avoid repeating your keywords within the title. Avoid long titles as Google only displays about 65 characters in the search results anyway.

Title tags are important if your Blogger blog is to attract traffic and rank in search engine results. On your blog home page the blog title appears between the title tags while on each individual post page it is the name of the article itself. While the title tags themselves are unseen by the visitor to your blog they are read when search engines crawl your blog.

Search engines use title tags to display your post title as a headline in search engine results. Search engines also display a description of the article either by extracting it from the post content usually by picking up the first 150 characters of your post or by reading the meta description of the post if one exists.

Meta descriptions can be crafted for individual posts in Blogger to good effect. Make descriptions unique for each post and ensure they contain your target keywords and keyword phrases to encourage search engines to extract snippets from them. To find out more about adding a meta description to an individual post please see my article Adding Meta Tags to Blogger Blogspot Blog for Better SEO

Add Meta Tags and Blog Description to Blogger
Adding meta keywords and a blog description to your Blogger Blogspot blog can boost your rankings by helping visitors locate your blog using keyword and keyword phrases. To find out the best method of inserting these into your Blogger blog please refer to my article about Adding Meta Tags to Blogger Blogspot Blog for Better SEO


Use Keywords in Alt Tags and Image Titles
Optimize the images used on your blog by making use of the alt tags and image titles. For some tips on SEO and images please refer to 10 Tips to Build Site Traffic for a Blogspot Blog


Use Target Keywords in Your Post Content
Make sure you know your targeted keywords and use them within your post content. One of the factors in determining rankings is the relevance of the targeted keywords in relationship to the text that appears in the post content.


Change the Order of Post Title and Blog Title for Better SEO
One key change you can make to Blogger that will markedly improve the SEO of your blog is to adjust the title tags.

By default Blogger title tags are not optimized for search engines. The name of the blog appears before the name of the article which is not search engine friendly. Since search engines read left to right and give preference to what appears first having your blog name display before your post title is significant. To improve SEO it pays to adjust the order of title tags so that the your post title appears first:

Blog Title | Post Title

to

Post Title | Blog Title

To find out how to adjust the title tags of a Blogger Blogspot blog please refer to my article Adjust Blogger Title Tags to Improve SEO

Optimize Your Blogger Permalinks
Hand in hand with a title tag is the permanent permalink that is created when a post is published. If the title of the post is more than about 35 characters long you will strike problems with Blogger because it will shorten the title to a 35-40 character permalink. Some very ugly results happen because of this factor. For instance imagine a permalink such as:

http://blogknowhow.blogspot.com/2009/02/how-to-create-improved-permalinks-for.html

A totally useless permalink results because the blogger keyword has been left off. Learn more about crafting titles and working around the limitations of Blogger permalinks in my article How to Create Search Engine Friendly Permalinks



Improve SEO by Making Use of Headings for Post Titles
Heading tags are important for optimal SEO. Most Blogger.com templates use html header tags sized &lth2> or &lth3> for the post title. In the past major search engines like Google gave precedence to tags with &lth1> ahead of anything else but how important &lth1> tags are today is less certain. You could tweak the heading size of your post title if you wish however take care to ensure the look of your template isn't compromised. A bigger font will result and this may mean other parts of your blog will need to be adjusted to compensate. To find out what size your blog title is look for the following lines in your template.

As can be seen this template blog title is in &lth3&gt. To change the size of the tags just substitute the appropriate header tag where &lth3> appears


Improve SEO By Making Use of Heading Tags Within Posts
Heading tags can be used to good effect in your posts. Make sure you have only one &lth1> heading per page if you have one at all and reserve this for your post title. Make use of &lth2> and &lth3> headings throughout your post to emphasize key points and targeted keywords. Major search engines do take notice of &lth2> and &lth3> headings when crawling your blog. To add emphasis to a heading within your blog simply enclose the heading in &lth3> tags.


Add Breadcrumb Navigation to your Blogger Blog
There is a hack that can be used to add breadcrumb navigation to a Blogger Blogspot blog. Adding breadcrumb navigation can boost your SEO of your blog as well as improving how readers get around.


A breadcrumb provides text-based navigation by displaying the visitor's location within a blog. A breadcrumb provides shortcuts to enable visitors to quickly get around your blog and jump from one part of your blog to another. For example a breadcrumb for a post about meta tags would be Home > Meta Tags >Add Meta Tags to Blogger for Better SEO. An anchor text such as 'meta tags' tells search engines about the subject of the linked page. Search engines view a breadcrumb with a text link to relevant keywords in the post as important.

To find out how to add a breadcrumb navigation to your Blogger Blogspot blog please refer to my article Add Breadcrumb Navigation to a Blogger Blog


This article has focused on providing you with solid Blogger SEO advice, tips and tricks for the Blogspot Blogger. It will help you achieve good SEO results for your blog. Good luck. If you have time let me know about your experiences.

Related Articles
List of Blog Know How Tutorials for Blogger Blogs
10 Tips to Build Site Traffic for a Blogspot Blog
Add Breadcrumb Navigation to Blogger Blogspot Blog
Add Meta Tags to Blogger Blogspot Blog for Better SEO
How to Add a Blogger Sitemap to Major Search Engines
Submit a Blogspot Blog Sitemap to Google
Submit You Blogspot Blog to Yahoo
Add Blogger Sitemap to MSN Live

Law of Attraction

The Law of Attraction simply says that you attract into your life whatever you think about. Your dominant thoughts will find a way to manifest. But the Law of Attraction gives rise to some tough questions that don’t seem to have good answers. I would say, however, that these problems aren’t caused by the Law of Attraction itself but rather by the Law of Attraction as applied to objective reality.

Here are some of those problematic questions (all are generalizations of ones I received via email):

* What happens when people put out conflicting intentions, like two people intending to get the same promotion when only one position is available?
* Do children, babies, and/or animals put out intentions?
* If a child is abused, does that mean the child intended it in some way?
* If I intend for my relationship to improve, but my spouse doesn’t seem to care, what will happen?

These questions seem to weaken the plausibility of the Law of Attraction. Sometimes people answer them by going pretty far out. For example, it’s been said by LoAers that a young child experiences abuse because s/he intended it or earned it during a past life. Well, sure… we can explain just about anything if we bring past lives into the equation, but IMO that’s a cop-out. On the other hand, objective reality without the Law of Attraction doesn’t provide satisfactory answers either — supposedly some kids are just born unlucky. That’s a cop-out too.

I’ve never been satisfied by others’ answers to these questions, and they’re pretty important questions if the Law of Attraction is to be believed. Some books hint at the solution but never really nail it. That nail, however, can be found in the concept of subjective reality.

Subjective reality is a belief system in which (1) there is only one consciousness, (2) you are that singular consciousness, and (3) everything and everyone in your reality is a projection of your thoughts.

You may not see it yet, but subjective reality neatly answers all these tricky Law of Attraction questions. Let me ’splain….

In subjective reality there’s only one consciousness, and it’s yours. Consequently, there’s only one source of intentions in your universe — YOU. While you may observe lots of walking, talking bodies in your reality, they all exist inside your consciousness. You know this is how your dreams work, but you haven’t yet realized your waking reality is just another type of dream. It only seems solid because you believe (intend) it is.

Since none of the other characters you encounter are conscious in a way that’s separate from you, nobody else can have intentions. The only intentions are yours. You’re the only thinker in this universe.

It’s important to correctly define the YOU in subjective reality. YOU are not your physical body. This is not the egoic you at all. I’m not suggesting you’re a conscious body walking around in a world full of unconscious automatons. That would be a total misunderstanding of subjective reality. The correct viewpoint is that you’re the single consciousness in which this entire reality takes place.

Imagine you’re having a dream. In that dream what exactly are YOU? Are YOU the physical dream character you identify with? No, of course not — that’s just your dream avatar. YOU are the dreamer. The entire dream occurs within your consciousness. All dream characters are projections of your dream thoughts, including your avatar. In fact, if you learn lucid dreaming, you can even switch avatars in your dream by possessing another character. In a lucid dream, you can do anything you believe you can.

Physical reality works the same way. This is a denser universe than what you experience in your sleeping dreams, so changes occur a bit more gradually here. But this reality still conforms to your thoughts just like a sleeping dream. YOU are the dreamer in which all of this is taking place.

The idea that other people have intentions is an illusion because other people are just projections. Of course, if you strongly believe other people have intentions, then that’s the dream you’ll create for yourself. But ultimately it’s still an illusion.

Here’s how subjective reality answers these challenging Law of Attraction questions:

What happens when people put out conflicting intentions, like two people intending to get the same promotion when only one position is available?

Since you’re the only intender, this is entirely an internal conflict — within YOU. You’re holding the thought (the intention) for both people to want the same position. But you’re also thinking (intending) that only one can get it. So you’re intending competition. This whole situation is your creation. You believe in competition, so that’s what you manifest. Maybe you have some beliefs (thoughts and intentions) about who will get the promotion, in which case your expectations will manifest. But you may have a higher order belief that life is random, unfair, uncertain, etc., so in that case you may manifest a surprise because that’s what you’re intending.

Being the only intender in your reality places a huge responsibility on your shoulders. You can give up control of your reality by thinking (intending) randomness and uncertainty, but you can never give up responsibility. You’re the sole creator in this universe. If you think about war, poverty, disease, etc., that’s exactly what you’ll manifest. If you think about peace, love, and joy, you’ll manifest that too. Your reality is exactly what you think it is. Whenever you think about anything, you summon its manifestation.

Do children, babies, and/or animals put out intentions?

No. Your own body doesn’t even put out intentions — only your consciousness does. You’re the only one who has intentions, so what takes precedence is what YOU intend for the children, babies, and animals in your reality. Every thought is an intention, so however you think about the other beings in your reality is what you’ll eventually manifest for them. Keep in mind that beliefs are hierarchical, so if you have a high order belief that reality is random and unpredictable and out of your control, then that intention will trump other intentions of which you’re less certain. It’s your entire collection of thoughts that dictates how your reality manifests.

If a child is abused, does that mean the child intended it in some way?

No. It means YOU intended it. You intend child abuse to manifest simply by thinking about it. The more you think about child abuse (or any other subject), the more you’ll see it expand in your reality. Whatever you think about expands, and not just in the narrow space of your avatar but in all of physical reality.

If I intend for my relationship to improve, but my spouse doesn’t seem to care, what will happen?

This is another example of intending conflict. You’re projecting one intention for your avatar and one for your spouse, so the actual unified intention is that of conflict. Hence the result you experience, subject to the influence of your higher order beliefs, will be to experience conflict with your spouse. If your thoughts are conflicted, your reality is conflicted.

This is why assuming responsibility for your thoughts is so important. If you want to see peace in the world, then intend peace for EVERYTHING in your reality. If you want to see abundance in the world, then intend it for EVERYONE. If you want to enjoy loving relationships, then intend loving relationships for ALL. If you intend these only for your own avatar but not for others, then you’re intending conflict, division, and separation; consequently, that’s what you’ll experience.

If you stop thinking about something entirely, does that mean it disappears? Yes, technically it does. But in practice it’s next to impossible to uncreate what you’ve already manifested. You’ll continue creating the same problems just by noticing them. But when you assume 100% responsibility for everything you’re experiencing in your reality right now — absolutely everything — then you assume the power to alter your reality by rechanneling your thoughts.

This entire reality is your creation. Feel good about that. Feel grateful for the richness of your world. And then begin creating the reality you truly want by making decisions and holding intentions. Think about what you desire, and withdraw your thoughts from what you don’t want. The most natural, easiest way to do this is to pay attention to your emotions. Thinking about your desires feels good, and thinking about what you don’t want makes you feel bad. When you notice yourself feeling bad, you’ve caught yourself thinking about something you don’t want. Turn your focus back towards what you do want, and your emotional state will improve rapidly. As you do this repeatedly, you’ll begin to see your physical reality shift too, first in subtle ways and then in bigger leaps.

I too am just a manifestation of your consciousness. I play the role you expect me to play. If you expect me to be a helpful guide, I will be. If you expect me to be profound and insightful, I will be. If you expect me to be confused or deluded, I will be. But of course there’s no distinct ME that is separate from YOU. I’m just one of your many creations. I am what you intend me to be. But deep down you already knew that, didn’t you?

ShareThis
Discuss this post in the Steve Pavlina forum.

Achieve new breakthroughs in your habits, career, finances, relationships, health, and spiritual development. Register now to attend the next transformational 3-day Conscious Growth Workshop in Las Vegas.


Related Articles
# The Secret DVD With a Free Bonus
# Responsibility and the Law of Attraction
# StevePavlina.com Podcast #016 – The True Nature of Reality
# The Secret
# The #1 Mistake People Make When Using the Law of Attraction
# The Most Direct Solution to Any Problem
# StevePavlina.com Podcast #018 – Faster Goal Achievement
# StevePavlina.com Podcast #017 – Placing Your Order With the Universe
# Gratitude
# The Science of Success

This entry was posted on Friday, August 18th, 2006 at 12:13 pm and is filed under Consciousness & Awareness, Intention & Manifestation, Lucid Dreaming, Metaphysics. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.
39 Responses to “The Law of Attraction”

1. Creating a Better Life Says:
August 18th, 2006 at 5:02 pm

Unity and The Law of Attraction

Have you had one of those moments where something finally clicks for you, and a whole bunch of different thoughts that never quite worked together before finally come together?
I just had one. I’m still having it as I write.
After reading Steve …
2. rmic.be Says:
August 19th, 2006 at 1:34 am

How to make your dreams come true ?

In his latest post he asks and answer some interesting questions about the effects of conflicting intentions and situations where the subject is not really able to think or want the things he attracts.
3. Pathway To Happiness » Blog Archive » The Law of Attraction Beliefs and Thoughts Says:
August 19th, 2006 at 6:35 pm

[...] I had a few thoughts on a post Steve Pavlina wrote about the Law of Attraction. I look at it a little differently. Maybe it is really the same but I am interpreting the words differently. This is always a difficulty with language, particularly with written words. [...]
4. Live Consciously » Creating Lasting Change Says:
August 21st, 2006 at 3:16 am

[...] It started when I was reading Steve Pavlina’s blog about the Law of Attraction. The article focused on how all the energy you put out into the universe comes back at you, manifesting into the life that you are creating. It emphasizes that no one else is responsible for your life and your universe, and that we are the sole creators of our own reality. [...]
5. Live Consciously » Changing Your Thoughts Says:
August 25th, 2006 at 12:41 am

[...] 4) Embrace a new Philosophy. Nothing is quite as powerful as experiencing a new perspective. Try it sometime. Go to wikipedia and look up philosophies. Imagine what your world would be like if you lived that philosophy. Try it on for a day, and if you like elements from it, embrace them into your current world view. This will bring enrichment into your life. Or try embracing your total responsibility. [...]
6. How To Get What You Want - The Law of Attraction « Compass Says:
August 31st, 2006 at 5:18 pm

[...] The first one you should read is The Law of Attraction which answers some tough questions around how this principle works, and when. [...]
7. cloudshadows.net » Blog Archive » Mastery Of Desire Extends Power From Infinitesimal Particles To Infinity Says:
October 13th, 2006 at 7:24 am

[...] When you have complete mastery over your desires, your power extends from the smallest thing to the greatest thing. Essentially, you gain power over the universe. But what kind of power? I think this sūtra may just be an obscure way of stating the Law of Attraction. Here’s why: [...]
8. My favourite blog « a pearl lifestyle Says:
October 17th, 2006 at 6:56 am

[...] Some of the fascinating chapters include: Level of consciousness The Law of Attraction Living Congruently [...]
9. Lost in Translation » Blog Archive » Intention Says:
October 23rd, 2006 at 3:55 am

[...] Of course, I’m going to work on reducing my weight and size in the usual ways: exercise, eating better (and less), and keeping track of myself. But I’ve also decided to try another model. Steve Pavlina suggests a way of getting things done based on the law of attraction: “you attract into your life whatever you think about. Your dominant thoughts will find a way to manifest.” He calls this the Intention-Manifestation model. [...]
10. My $1000 Experiment » Move the Markets Says:
November 17th, 2006 at 9:13 am

[...] The point of the game is derived from the Law of Attraction, which more or less says what you think about today will be your life tomorrow. It’s a warning to focus on success rather than worry about failure. So, this is a fun way to make sure you spend some time thinking about having more money than you can easily even spend. Then, you get to go through imaginary motions of doing stuff with all that abundance. Sounds fun, and certainly can’t hurt! [...]
11. Law of Attraction and Limitations at Happiness through Awareness and Self Mastery Says:
November 22nd, 2006 at 3:37 pm

[...] Steve Pavlina Post on the topic [...]
12. ScottMW.com » Blog Archive » The Law of Attraction Says:
December 1st, 2006 at 3:52 am

[...] I came upon an article by Steve Pavlina, also titled “The Law of Attraction,” which gave me a better understanding of just what my brother was talking about. Pavlina describes this idea as your complete reality, as if it were a more potent lucid dream. Basically, you are the god of your universe. Whatever you want to happen will ultimately happen based on thoughts you focus on and actually will to happen. You ultimately become what you think about. If you think about how you’re poor and always have been, you will continue to stay poor. Conversely, if you think about how you are going to be a millionaire and you focus on it hour by hour, day by day. The Law of Attraction says that it will come to you. [...]
13. Creating a Better Life » Antidepressants Says:
December 15th, 2006 at 2:09 pm

[...] I guess I’m writing this because those of us who have suffered from depression and practice spiritual disciplines such as the Science of Mind or the Twelve Steps, as well as work with the Law of Attraction, can sometimes feel split, like we are doing one thing at one time, and then another at another time. And I’m here to say that I’m done with that way of thinking. So if you are like me, and you hear Wayne Dyer speaking derisively about how they have a drug for everything today (as he did in his PBS special “The Power of Intention”, which I otherwise loved), or you are in AA and your sponsor just doesn’t get why you are “trying to get happiness from a pill”, and you feel guilt about it, you are not alone. If the pills help, keep taking them! They aren’t magic, and there’s so much more to beating depression than taking medication. But it can be an important part of it. [...]
14. Steve Pavlina - another Nomad « NoMadIshEre Says:
December 27th, 2006 at 10:21 am

[...] While manifesting my own destiny I find myself “stumbling” into like minds. It’s easy to forget we are responsible for our own reality. Deep down we all know we are. This is one of those few “truths” I am well aware of and continually manifest reminders to myself. I thought I would do the same for you by introducing you to Steve Pavlina of StevePavlina.com and his post on The Law of Attraction. [...]
15. Bowling over Failure - Cure-Alls.com Says:
January 4th, 2007 at 8:45 pm

[...] 2. I lacked confidence. During that dreadful game I was missing shots that I had drilled during the previous three games. I blamed this on being “unlucky” and attributed it to the idea that “the pins weren’t falling my way.” Karlene Sugarman writes, “When you are playing well, you feel confident that no matter what you are up against, you are going to come out on top.” Instead of feeling this way, I felt that no matter what I did, the pins weren’t going to fall; and, true to manifest destiny, they didn’t. [...]
16. Demystifying the Law of Attraction // MPowered Life Higher Learning Center Says:
January 23rd, 2007 at 6:36 pm

[...] Steve Pavlina recently tackled some heavy subjects regarding Law of Attraction principles. I’d like to offer a different perspective on these important questions with the intention of delivering an explanation that resonates with your everyday experience. [...]
17. ProperJoy.com » Blog Archive » Life Update Says:
February 9th, 2007 at 8:28 am

[...] I feel great, experimenting with a new model of reality helps a great deal. [...]
18. The SoBe Project » Blog Archive » The Secret Says:
February 13th, 2007 at 8:09 pm

[...] Some intersting questions are discussed at Steve Pavlina’s Weblog that point out some problems with The Law of Attraction. [...]
19. attracted to the law of attraction » change therapy - isabella mori Says:
February 17th, 2007 at 3:28 pm

[...] are you attracted to the law of attraction? everyone seems to be talking about the movie the secret lately, and the law of attraction. are you one of them? if so, i wonder whether you’d like to tell me about it. [...]
20. computer - somdaj.com » Codename: Muffins Says:
February 19th, 2007 at 5:21 am

[...] Recently I watched The Secret. Essentially, it says that 1) we are all energy and 2) we get what we put out. So if you are constantly thinking negatively, you are only going to get negative back. It’s called the Law of Attraction and you can read more about it here. You may have seen it talked about on Oprah, but I swear to you, I saw it before the trendsetter for middle of the road America mentioned anything. Anyway, I got really excited at the idea of being able to control my life positively. I decided to do some of the things they talk about it the movie, one of them being to visualize what I want in my life. I wanted to make a visualization board but I couldn’t find one of those fancy real estate magazines to cut out my fantasy house, so I visualized having one. Friday night, TBU and I had nothing to do and we didn’t want to spend any money, I visualized us going out and having a good time for free. I have also been visualizing having more money, because dar. This is where it gets interesting, on Friday night, TBU and I took a walk and as we came back to our place what was sitting on our mailbox? A fancy shmancy real estate magazine. Ok, that was pretty cool but they are kinda everywhere and they’re free so that wasn’t so hard for the universe to provide. We were still bored with nothing to do. Then right as I got out of the shower at 8:30pm our friends called with extra tickets to a concert AND they bought us dinner. Ummmm, wow. Dinner and concert for free? Well played universe. While at the concert our friend ask me to start a business with her. Even though the money hasn’t actually manifested yet, I am really excited. All of this led me to start saying, “If you can visualize it, you can millionize it.” [...]
21. Collected Wanderings Says:
March 3rd, 2007 at 7:57 pm

The Secret

Brendin watched ‘The Secret’ with me and loved it. After watching it he wrote two pages of what he is thankful for. I have been writing spiritual material for several years and ‘The Law of Attraction’ is hard for teenagers to grasp. The nine …
22. The Law of Attraction … simplified « World of DanceyBingz Says:
March 9th, 2007 at 9:06 am

[...] Steve Pavlina has a great article on explaining the Law of Attraction. Rhonda Brynes made a movie-length dvd clip of the wonderful world of the Law of Attraction called “The Secret“. This is not some new theory that’s just evolved. Here’s some free resources you can read / listen to. [...]
23. Monday Musings: What Do You Think About The Law of Attraction? - Spirituality Applied to Life - Balanced Life Center Says:
April 1st, 2007 at 5:39 pm

[...] Ever since Steve Pavlina wrote about the Law of Attraction almost a year ago now, I’ve had mixed feelings about the cat getting out of the bag. You see, I was taught the Law of Attraction (thoughts held in mind produce after their kind) growing up. When I saw that post I was exuberant that someone else, not from my family or church (a normal person), got wind of it and was telling the world about it. So, as news of the Secret spread on the Internet, and now in the real world through Larry King and Oprah, I’ve reserved judgement about the presentation. Until now… [...]
24. 28 Links that Will Change Your Life « The Optimized Life Says:
April 8th, 2007 at 8:18 am

[...] The Law of Attraction [...]
25. I Think, Therefor I Am | Mrs. Sparrow Says:
May 22nd, 2007 at 6:23 pm

[...] Steve Pavlina has an article called The Law of Attraction. [...]
26. Negative Blogging & You « J.T’s Official Blog Says:
May 31st, 2007 at 10:02 am

[...] See, it all has to do with What’s known as The Law of Attraction. The Law of Attraction, according to Personal Development Blogger Steve Pavlina, is the idea that ”you attract into your life whatever you think about.” This is a concept that Numerous People have blogged about, but few really understand how it applies to you. [...]
27. The Crazy Cat Woman » Blog Archive » A Little Weird and I Says:
June 18th, 2007 at 5:38 am

[...] The writer of “A Little Weird” and I have both been working with the law of attraction and the lottery. Were both experiencing the same frustrations which I find very interesting. Neither one of us really won that much in the lottery when we played before we discovered and began to consciously work with the law of attraction. He and i both noticed that after we started to work with it we started winning small amounts in the lottery every time we played. Every single time bear and i buy tickets we win at least 2 dollars. Bear has better luck on scratchers. He will buy a 1 dollar one and win 2 dollars. He will use that 2 dollar won and buy another one and win 5 dollars. Then use that money to buy another one and win more money. He can stand there and do this 5 or 10 times before he finally gets a loosing one and stops. And this is not a one time incident either, this sort of thing happens a lot. There have been times when we have a few of the numbers on the same row and all of the other numbers will be off by 1 digit. Those are really frustrating. [...]
28. The Law of Attraction | Fearless Advisor Says:
July 3rd, 2007 at 4:04 pm

[...] Let’s face it, I could use ‘God’s Will’ as an excuse for any action, or an indictment against God for not stopping terrible things from happening. Steve Pavlina discusses some of the contradictions that can occur when the Law of Attraction is applied to objective reality and the same is true for God’s Will. Things like conflicting intentions, abuse, and relational issues where outcomes depend on the actions of others become an issue. We need to be capable of making sense of reality without compromising our faith. This can be a stumbling block for some people. [...]
29. Is The Law Of Attraction True? | Zale Tabakman Says:
September 6th, 2007 at 2:15 pm

[...] A criticism was mentioned by Steve Pavlin (who is a fellow believer) says: If a child is abused, does that mean the child intended it in some way? [...]
30. No Such Thing as Competition Says:
October 15th, 2007 at 5:47 am

[...] In his blog, Steve Pavlina makes a very interesting point: [...]
31. Applying Appreciative Inquiry to Your Life for Positive Self-Improvement | Think Hacks Says:
October 15th, 2007 at 8:21 pm

[...] The way you see the world matters. Some people would go even further and say we create the world as we see it. If you look at a situation as a bunch of problems to be solved, that’s what you’ll see — problems. But if you start to see the good in that situation, if you start to see what’s great about it, and what good things that situation brings about, what do you see? You see opportunities. No matter how bad a situation is, there is something positive. Even the most impoverished, violent, drug-ridden housing project has something good in it. Maybe it’s generosity. Maybe it’s great, loving children. Maybe the drug dealers are great business men. Start looking for it and you will find it. [...]
32. Re: The SecretLifeReboot.com Says:
October 18th, 2007 at 5:37 pm

[...] I was immediately reminded of Steve Pavlina, who has written many articles about The Law of Attraction and Intention Manifestation. Although I’m vaguely familiar with the concepts, I haven’t invested much of my personal beliefs in them because I find them difficult to swallow. [...]
33. The Strangest Thing I Have Ever Manifested with the Law Of Attraction | Create Business Growth Offers... Says:
October 31st, 2007 at 12:14 pm

[...] A lot of people are talking about the law of attraction now that the book The Secret has become such a big success. Do you believe in the law of attraction? Some people live by this law, others think its BS. [...]
34. Ramblin’ From The Rambler. « Ramblin’s Says:
November 25th, 2007 at 6:13 am

[...] Because of the infallibility of the ‘Law of Attraction’, sure enough, my life deteriorated, year by year. What was the breakthrough? (watch the slideshow for where my life is now, and then read the rest of the article underneath) [...]
35. Skills + Performance = Opportunities: Opportunities | Cube Rules Says:
December 19th, 2007 at 11:42 am

[...] Opportunities follow a little “attraction theory” in that if you start looking for them, they will show up. Know yourself and your capabilities and start pursuing the ones that make sense to you. [...]
36. The Law of Attraction (Or Why I'm Kid Mercury) - Kid Mercury's Blog Says:
May 22nd, 2008 at 6:11 pm

[...] if you think that, you’ll succumb to fear, and then you’ll be easy to control. Steve Pavlina has a great post about the Law of Attraction. You should check it out. You should check out Steve’s blog overall, it’s a good read. I’d also [...]
37. Awakening - A Journey of Destinations « This New Earth Says:
June 4th, 2008 at 4:47 pm

[...] If you have looked into self improvement or any of the various aspects of it, chances are the Law of Attraction might be coming to mind. If so, then yes, you’re right because I believe that is a big part [...]
38. TomHolowka.com » Blog Archive » The Law of Attraction is Real Says:
June 5th, 2008 at 4:50 pm

[...] Read about it here. [...]
39. The Joy of Solving Problems Says:
April 13th, 2009 at 2:00 am

[...] Given this mindset, you should do your best to prevent problems from arising whenever possible. If a problem occurs, it means something went wrong. It should have been anticipated and avoided. An unavoidable problem represents bad luck or a cruel twist of fate. Or perhaps it suggests you held the wrong thoughts and somehow attracted it via the Law of Attraction. [...]



Free Personal Development Insights Newsletter

Sign up for the FREE Personal Development Insights newsletter to achieve new breakthroughs in your habits, career, finances, relationships, health, and spiritual development. With tens of thousands of active subscribers, Personal Development Insights is one of the most popular self-improvement newsletters in the world.

Newsletters are sent about once a month, just enough to keep you in the loop but not enough to overwhelm you.

If you enjoy the free information available on this site, you're sure to appreciate the free newsletter as well. Sign up right here:
Name
Email

Note: You can easily unsubscribe at any time with no hassle -- just click the cancellation link at the bottom of any issue. Your email address will be kept confidential and won't be shared. If you use spam-blocker on your email account, be sure to add the email address pdinewsletter at stevepavlina.com to your whitelist, so the newsletter is allowed through.

* Man Transformation
* Subscribe