It looks like a feature where you could supply one placeholder in a prepared statement, but give it an array of values, and it would expand the placeholders to fit the array. So if the query was like this:
SELECT * FROM table WHERE id IN (:idlist)
and you passed an array with 3 values for idlist, it would replace the query like this:
SELECT * FROM table WHERE id IN (:idlist_1,:idlist_2,:idlist_3)... then use the values in the array as the three values for those placeholders. It looks like the old code was using the keys from the data array, so instead of appending someting like "_1", it would append the actual key. So an attacker could put SQL code into the array keys and it would stick those (unchanged) into the query.
I don't see any claim that they "need" to bring it back, just that they "are" bringing it back. Considering that its stated mission is to test various technologies, maybe they want to change the payload out. Maybe the mission ended. Apparently the other two missions did not end because of a lack of fuel.
Today on Slashdot I learned that the only purpose of the constitution is to allow sex slaves in South Carolina and make it possible to steal Ohio from the Indians.
Thanks for that valuable analysis. No, no, don't bother with any citations, they aren't even remotely necessary. I'll just assume that Article V is all about sex slaves in South Carolina. Or the Ohio thing, whatever. I'm sure it's one of the two, anyway. I'll teach this to any child I can find. Now, if you'll excuse me, I need to go educate Facebook.
If I was bored, and wanted to do something for teh lulz, I would organize an ongoing campaign to run a DDoS against heartbeat.belkin.com. If I was that type of person, anyway.
I don't know how much traffic Microsoft really sees (I assume it's quite a bit), or BofA would put out (probably a fair bit as well), but if I was running a network and saw a range of IPs pinging me all day every day I would be pretty hard pressed to not block them. I mean, why is Microsoft paying for BofA's internet connectivity testing?
I'm missing part (ok, the vast majority) of this story, but if his software is such shit, then why are so many distros, who presumably enjoy when their operating systems run correctly, using his software? Is there actually a consensus on his software being shit, and if so, why do people use it? If not, why do people act like it's a foregone conclusion that his software is shit? To an outside observer this kind of looks like a shouting match amongst a huge group of egotistical assholes.
There are over 1000 teams named after natives, in the hs - college- majors.
The vast majority of those names are descriptive though, not offensive. For example, Seminoles - (anglicized) name of a tribe; Blackhwaks - name of a chief; Indians, Braves, Chiefs - just describing an entire group or class (although "Indian" is a pretty stupid way to refer to them). A lot of high school or college teams use the names of tribes from the area (Chippewas, Choctaws, Apaches, Cherokees, Mohawks, etc). I don't think any of those are offensive. "Redskins" is completely different. If you think that term is not offensive, walk into a meeting of the National Congress of Native Americans and say "hey, how are you all you redskins doing today?" See how they react. It doesn't really matter if *you* find the name offensive or not. I wouldn't be offended if someone called me a redskin either, I would just sort of look at them kind of funny. It's clearly offensive to a large group of people, and they should change the name. Most colleges and high schools I think are fine using tribal names for their schools.
Although, maybe the Agawam High School Brownies might consider a name change. And the Aniak High School Halfbreeds might think about it also.
What exactly does gender equality have to do with dating? There is nothing remotely equal about the experiences of single men and women. Look at some of the statistics in the article - on one site the most attractive woman got 17 times as many messages as the most attractive man. There is nothing equal about the way that men and women approach each other when dating and, frankly, most women will not pay to date. They don't have to. OKCupid may send you an email saying that you are in the top 10% of attractive people on the site. If you're a man, this means that your picture is shown to more attractive people, and also that you'll see more attractive people. If you're a woman, you get those same perks plus you also are automatically on the "A-list", which gives you more searching options, lets you browse profiles undetected, and other things. Men have to pay for the A-list, attractive women do not, because the site knows that many men will pay for better access. This is the exact same idea behind "ladies' night" at a bar or nightclub. If the women are there (and they are more likely to be there if its free), then the men will follow (and pay).
There is nothing equal about dating. The business model described above could definitely work, and in fact the women who use it would probably be thankful for the lack of crap messages that they get. Meet some women on dating sites and take them out some time, ask them about the messages they receive. Ask them about the number of messages and the content. Ask them to send you a few examples of what they get. It is nothing like the messages that men get from women. Any woman who has sent me a message has just asked a casual question (what's my favorite band, movie, etc), asked about something in my profile, went for light humor, etc, and they've done it with good grammar and spelling. Ask some girls to send you examples of some of the messages they receive and feel free to compare and contrast. Come back and tell everyone how equal it is out there.
Personally, I would be fine with something similar to the above (although seeing a person's message history to everyone would not be a feature I would add). I would feel confident that I could use that site, send the messages I want to send, that they would get delivered, and that women could look at my message acceptance levels and figure out that I'm a respectful person. If that makes it harder for the guys sending messages about tits and ass using some misspelled version of txt-speak, good.
Science is cool and all, it has many answers, though not all of them, imo.
That's one of the best things about science, though. Not only does it not have all of the answers (in fact, not even a very small percentage of them), but this fact is ingrained into the entire scientific process with the knowledge that if we try hard enough, we can find the answers.
Why SHOULDN'T first world countries get to share the misery of their less fortunate bretheren, anyway?
For one, because first world countries tend not to have mobs go after health workers and scientists based on belief in things like witchcraft and sorcery, and they also tend not to break people out of isolation in a hospital when the person has a deadly contagious disease. Sometimes a little epidemic is just what you need to get the population on board with modern medicine.
The concept was a good one, but the major thing that kept bugging me was that I would log in after several weeks or months and my playlists kept shrinking. I don't even know which songs it was removing, but in a lot of cases it would remove some songs by an artist and leave others by the same one (or even the same album).
It seems that this is pretty good proof that there is a demand for reputable MDMA.
The SR vendor you're looking for is Geoffrey Giraffe.
If the dosage was known steps could be taken to provide the most fun for the least amount of harm (it sure as hell isn't harmless).
The therapeutic dose is 125mg, with an optional 62.5mg an hour or so in. Note that the additional dose doesn't typically cause any increase in intensity, it just makes it last a little longer. The first dose usually determines the intensity.
I had orthopedic surgery last winter and I was paying like $13 for forty 5 mg oxycodone pills.
That's not the same as saying that 40 5mg pills cost $13 though, that's just the cost to you. The manufacturer's price is higher, and they're getting paid by your insurance company. Sadly, I haven't found any insurance company that will go in with me on Silk Road purchases.
Your solution is "don't travel so much?" With all due respect, go fuck yourself. We already pay fees on airline tickets to pay for things like this. If the system cannot handle the current load, then the system needs to be upgraded.
I may be naive, but it's difficult for me to believe that someone thought up the attack vector from just thinking about shells in general.
It's not that hard to believe, maybe someone was designing some piece of software where they wanted to use functionality like that. They wanted to have the browser end up defining a function in bash, and then run some additional code, and did some tests to see if it would work. They found that not only will it work, but it will work a whole lot better than they thought it would. At that point, time to tell someone.
Who is giving away their time to code review the work of thousands of neophyte programmers?
Probably exactly the same kind of people who answer questions on Stack Overflow or any of the other multitude of programming fora. Believe it or not, but some people like to help just because they enjoy it. I do it because answering random questions can be a nice break in the middle of work and it keeps me thinking about programming (especially problems that I wouldn't encounter in my normal work flow). It helps keep me sharp instead of only ever thinking about what I'm working on.
"It's remarkable to me that people have figured out how to use it."
That is a truly self-aware software developer saying that. Sometimes I feel the same way, I'll design something that will work really well, but once I put it in front of people I realize it doesn't make a lot of sense. But still, there are people who can dive in and pick it up from the start. It's remarkable to me as well when people can figure out how to use my software.
Slashdot Mirror
This is a job for Adobe "security boss" Brad Arkin!
It looks like a feature where you could supply one placeholder in a prepared statement, but give it an array of values, and it would expand the placeholders to fit the array. So if the query was like this:
SELECT * FROM table WHERE id IN (:idlist)
and you passed an array with 3 values for idlist, it would replace the query like this:
SELECT * FROM table WHERE id IN (:idlist_1, :idlist_2, :idlist_3) ... then use the values in the array as the three values for those placeholders. It looks like the old code was using the keys from the data array, so instead of appending someting like "_1", it would append the actual key. So an attacker could put SQL code into the array keys and it would stick those (unchanged) into the query.
Here is the old code (without comments):
foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array();
foreach ($data as $i => $value) {
$new_keys[$key . '_' . $i] = $value;
}
$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);
And the new code:
foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array();
foreach (array_values($data) as $i => $value) {
$new_keys[$key . '_' . $i] = $value;
}
$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);
array_values will return an array with numeric indexes, which is what removes the vulnerability.
Considering that the API is to help protect against SQL injection though, it's probably fair to say that version 6 is affected by other issues.
I don't see any claim that they "need" to bring it back, just that they "are" bringing it back. Considering that its stated mission is to test various technologies, maybe they want to change the payload out. Maybe the mission ended. Apparently the other two missions did not end because of a lack of fuel.
It's around 200,000 pictures, actually. No need to figure out how many pictures are in 13GB when they say, right there, how many pictures there are.
Today on Slashdot I learned that the only purpose of the constitution is to allow sex slaves in South Carolina and make it possible to steal Ohio from the Indians.
Thanks for that valuable analysis. No, no, don't bother with any citations, they aren't even remotely necessary. I'll just assume that Article V is all about sex slaves in South Carolina. Or the Ohio thing, whatever. I'm sure it's one of the two, anyway. I'll teach this to any child I can find. Now, if you'll excuse me, I need to go educate Facebook.
If I was bored, and wanted to do something for teh lulz, I would organize an ongoing campaign to run a DDoS against heartbeat.belkin.com. If I was that type of person, anyway.
I don't know how much traffic Microsoft really sees (I assume it's quite a bit), or BofA would put out (probably a fair bit as well), but if I was running a network and saw a range of IPs pinging me all day every day I would be pretty hard pressed to not block them. I mean, why is Microsoft paying for BofA's internet connectivity testing?
No one has been able to come up with a solution to have it create text logs?
I'm missing part (ok, the vast majority) of this story, but if his software is such shit, then why are so many distros, who presumably enjoy when their operating systems run correctly, using his software? Is there actually a consensus on his software being shit, and if so, why do people use it? If not, why do people act like it's a foregone conclusion that his software is shit? To an outside observer this kind of looks like a shouting match amongst a huge group of egotistical assholes.
There are over 1000 teams named after natives, in the hs - college- majors.
The vast majority of those names are descriptive though, not offensive. For example, Seminoles - (anglicized) name of a tribe; Blackhwaks - name of a chief; Indians, Braves, Chiefs - just describing an entire group or class (although "Indian" is a pretty stupid way to refer to them). A lot of high school or college teams use the names of tribes from the area (Chippewas, Choctaws, Apaches, Cherokees, Mohawks, etc). I don't think any of those are offensive. "Redskins" is completely different. If you think that term is not offensive, walk into a meeting of the National Congress of Native Americans and say "hey, how are you all you redskins doing today?" See how they react. It doesn't really matter if *you* find the name offensive or not. I wouldn't be offended if someone called me a redskin either, I would just sort of look at them kind of funny. It's clearly offensive to a large group of people, and they should change the name. Most colleges and high schools I think are fine using tribal names for their schools.
Although, maybe the Agawam High School Brownies might consider a name change. And the Aniak High School Halfbreeds might think about it also.
I dated a girl for 6 years who I met while playing Doom and Descent on a BBS. Pretty cool story, I know.
Gender equality means gender equality.
What exactly does gender equality have to do with dating? There is nothing remotely equal about the experiences of single men and women. Look at some of the statistics in the article - on one site the most attractive woman got 17 times as many messages as the most attractive man. There is nothing equal about the way that men and women approach each other when dating and, frankly, most women will not pay to date. They don't have to. OKCupid may send you an email saying that you are in the top 10% of attractive people on the site. If you're a man, this means that your picture is shown to more attractive people, and also that you'll see more attractive people. If you're a woman, you get those same perks plus you also are automatically on the "A-list", which gives you more searching options, lets you browse profiles undetected, and other things. Men have to pay for the A-list, attractive women do not, because the site knows that many men will pay for better access. This is the exact same idea behind "ladies' night" at a bar or nightclub. If the women are there (and they are more likely to be there if its free), then the men will follow (and pay).
There is nothing equal about dating. The business model described above could definitely work, and in fact the women who use it would probably be thankful for the lack of crap messages that they get. Meet some women on dating sites and take them out some time, ask them about the messages they receive. Ask them about the number of messages and the content. Ask them to send you a few examples of what they get. It is nothing like the messages that men get from women. Any woman who has sent me a message has just asked a casual question (what's my favorite band, movie, etc), asked about something in my profile, went for light humor, etc, and they've done it with good grammar and spelling. Ask some girls to send you examples of some of the messages they receive and feel free to compare and contrast. Come back and tell everyone how equal it is out there.
Personally, I would be fine with something similar to the above (although seeing a person's message history to everyone would not be a feature I would add). I would feel confident that I could use that site, send the messages I want to send, that they would get delivered, and that women could look at my message acceptance levels and figure out that I'm a respectful person. If that makes it harder for the guys sending messages about tits and ass using some misspelled version of txt-speak, good.
That it's not a 'dark, dismal world', that it's a ''what you make of it'' world, depending on your attitude towards it.
The important question we need to ask is if we want to live in a world of single quotes or double quotes.
Science is cool and all, it has many answers, though not all of them, imo.
That's one of the best things about science, though. Not only does it not have all of the answers (in fact, not even a very small percentage of them), but this fact is ingrained into the entire scientific process with the knowledge that if we try hard enough, we can find the answers.
Why SHOULDN'T first world countries get to share the misery of their less fortunate bretheren, anyway?
For one, because first world countries tend not to have mobs go after health workers and scientists based on belief in things like witchcraft and sorcery, and they also tend not to break people out of isolation in a hospital when the person has a deadly contagious disease. Sometimes a little epidemic is just what you need to get the population on board with modern medicine.
The concept was a good one, but the major thing that kept bugging me was that I would log in after several weeks or months and my playlists kept shrinking. I don't even know which songs it was removing, but in a lot of cases it would remove some songs by an artist and leave others by the same one (or even the same album).
It seems that this is pretty good proof that there is a demand for reputable MDMA.
The SR vendor you're looking for is Geoffrey Giraffe.
If the dosage was known steps could be taken to provide the most fun for the least amount of harm (it sure as hell isn't harmless).
The therapeutic dose is 125mg, with an optional 62.5mg an hour or so in. Note that the additional dose doesn't typically cause any increase in intensity, it just makes it last a little longer. The first dose usually determines the intensity.
I had orthopedic surgery last winter and I was paying like $13 for forty 5 mg oxycodone pills.
That's not the same as saying that 40 5mg pills cost $13 though, that's just the cost to you. The manufacturer's price is higher, and they're getting paid by your insurance company. Sadly, I haven't found any insurance company that will go in with me on Silk Road purchases.
236 dollars buys you what?
Around 3 to 3.5 grams of MDMA crystals/powder. The therapeutic dosage of MDMA is 125mg.
Police said the man is a contractor, not an air traffic controller or FAA manager.
Reading is hard.
Your solution is "don't travel so much?" With all due respect, go fuck yourself. We already pay fees on airline tickets to pay for things like this. If the system cannot handle the current load, then the system needs to be upgraded.
I may be naive, but it's difficult for me to believe that someone thought up the attack vector from just thinking about shells in general.
It's not that hard to believe, maybe someone was designing some piece of software where they wanted to use functionality like that. They wanted to have the browser end up defining a function in bash, and then run some additional code, and did some tests to see if it would work. They found that not only will it work, but it will work a whole lot better than they thought it would. At that point, time to tell someone.
Who is giving away their time to code review the work of thousands of neophyte programmers?
Probably exactly the same kind of people who answer questions on Stack Overflow or any of the other multitude of programming fora. Believe it or not, but some people like to help just because they enjoy it. I do it because answering random questions can be a nice break in the middle of work and it keeps me thinking about programming (especially problems that I wouldn't encounter in my normal work flow). It helps keep me sharp instead of only ever thinking about what I'm working on.
I like this quote:
"It's remarkable to me that people have figured out how to use it."
That is a truly self-aware software developer saying that. Sometimes I feel the same way, I'll design something that will work really well, but once I put it in front of people I realize it doesn't make a lot of sense. But still, there are people who can dive in and pick it up from the start. It's remarkable to me as well when people can figure out how to use my software.