So how come I can store and retrieve data from it?
It does not support Transactions.
MySQL has supported transactions for something like 5 years now. Sure, early versions didn't support transactions.
It doesn't use normal syntax. Why? Because it's easy.
I've seen a lot of variation in SQL syntax between different vendors. MySQL is nothing unusual in this respect. What specific syntax variation is giving you trouble?
PHP has supported parameter substitution for years. Quit spreading this myth.
The problem is simply that none of the standard "how to program with PHP" introductory texts mention it, but jump straight into low-level MySQL-specific APIs that shouldn't ever be used directly, IMO.
How does not using GET stop anything, you can POST anything you want to a webserver just like you can GET anything you want from a webserver. Only using POST will make things a little harder, but it doesn't stop anything.
Only using POST can limit your exposure area. If a flaw exists in a script that is only accessible to logged-in users, then it cannot be attacked directly by script-kiddies at large. Somehow, they have to get a login to your system first. One possible method of exploitation is sending either a link or HTTP redirect to somebody who is logged in that will exploit the flaw. If you only allow POST variables, this vector won't work, and they'll have to rely on something more complex and less likely to succeed.
It's not great, but it is a useful part of a defense-in-depth strategy.
Look... *I* didn't know that VOD stood for Video on Demand, and I'm employed in professional IT and read slashdot daily. How come 25% of my countrymen know an acronym that I don't...?
You could easily do this yourself for any project you were considering using -- it's a simple application of find + grep. What google has added is the capability of running that search across *all* projects.
I started getting spam to the address I put in code I write back in '99 or thereabouts. These days, I get spam to addresses I've never published (and which don't seem to have been randomly guessed, either). My belief is that spammers are using malware to crawl through people's personal files for addresses to send to these days. So there's almost nothing you can do to stop them getting your address now.
Yes. If you do both at once, you're likely to have to hire new temporary staff to handle the upgrade, which is always very expensive. Do them one at a time and your existing staff should be able to handle the load.
The truth is, Microsoft has _always_ lied about amount of ram needed since win95 at least. Their definition of minimum amount of ram needed is "it boots but can't do anything else" kinda numbers.
I've run XP on lower-than-minimum RAM before now, and it works. As long as your applications are happy without taking huge amounts of RAM, you'll be fine. All of the standard ones worked fine, as long as you didn't open too many at once.
But then again, everyone here's talking about 256MB and saying this is the minimum spec according to MS: it isn't. The recommended minimum's 64MB. They're only recommending 256 for users with advanced requirements.
Everything I've read on the topic suggests that shared memory graphics will be perfectly adequate for vista. Dell's basic corporate stuff right now comes with a shared memory card capable of 224MB, which should be more than adequate to handle aero. Its pixel shaders run 1600M pixels per second, or enough to render 160 full-screen overlaid windows at a rather higher resolution than most corporations run their displays without dropping frames @50Hz. And I suspect vista is smart enough not to re-render windows that haven't changed.
Many of the corporations I have worked for were extraordinarily cheap, and while they might have an upgrade cycle, they would usually buy the bare minimum machine.
That ties up with my experience too, although clearly not those of some other posters here who felt that most corps would be spending about $1500 per desktop. Whatever, though, the cheapest Optiplex Dell sell right now is adequate to handle Vista + Aero, so I don't see the problem.
Look at a decent (i.e., will be useful in 3 years) Opteron or Latitude right now.
I see one for £400 (about $750, I think). Of course it depends on what you want to be doing with your computers in 3 years time: for *many* businesses, the answer is "pretty much the same thing we're doing now: word processing, running the payroll, e-mail and occasional web browsing". You don't need anything fancy for that.
It also has "soon you won't be able to buy or get support for previous versions anymore" going for it. Apart from that... meh.
The former won't bother corporates, of course, because volume licensing for windows comes with downgrade rights.
So what else besides a shiny new look for the endless parade of "Are you sure you want to run this program?" dialogs does Vista have to offer the corporate user?
The new & improved support for image installation is probably a key point. More detailed security policy settings could also be handy.
corporate workstations generally skip out on the video processor and memory.
While that's true to an extent, it doesn't mean that cheap, current-generation corporate desktop machines won't be good enough to run vista. For instance, the Dell Optiplex GX520 has in Intel GMA950, which supports 224MB of shared memory (more than enough for Vista) and a 400 MHz x 4 pixel-per-clock fully programmable pipeline (pixel shader v3.0, not the v2.0 that Aero requires).
Also, even Microsoft is only claiming 128MB is good enough on a single monitor at up to 1600x1200. Have dual monitors, widescreen, or a really nice display, and you'll need a better video card. Not to play games, just to run the OS.
1. I've never seen a corporate desktop running greater than 1600x1200. Most seem to be on 1280x1024 at the moment.
2. According to MS's claims, 1280x1024 requires 64MB. 128MB, per MS's figures, is enough to run several standard widescreen resolutions; 1920x1200 is the highest such resolution. If you want to run dual screen, you'll need to switch down to 1280 x 900 or lower. Or use all of the 224MB that's available to that graphics card: MS doesn't quote an available resolution for that much memory, but projecting the trend from 64 to 128 you'd get about 3.3 megapixels. Running two 1600x1200 monitors would be pushing it, but twin 1280x1024 displays would be well within bounds.
A twin 1280x1024 display is the most advanced display setup I've ever seen in a corporate setting, BTW, and I've seen quite a few. And that was a programmer's system, so probably not very representative.
During his talk he mentioned a topic that hasn't really been jumped all over by a lot of people since then: signing kernel modules. If nothing else illustrates that it's a good idea, I hope this does.
How would that work? Presumably the private key would need to be stored in the/usr/src/linux-x.x.x dir somewhere, so why couldn't the rootkit installer just fish it out of there and sign their own module...?
It seems to me that having root access != having easy backdoor access to exes.
For instance, if I can load a wrapper around your financial program, without modifying your financial program (So AIDE would find it), I could more easily grab your data.
Yes, but there are already so many ways that modification could be made:
* Modify libc.so to perform the task you want (applicable to all modern unix systems) * Modify ld-linux.so or equivalent to perform the task you want (applicable to all ELF-based systems) * Modify the system config to automatically load an additional shared library to perform the task you want * Modify the user's config to automatically load an additional shared library to perform the task you want * Add a module to the kernel that intercepts the system calls the program wants and performs the task you want * Add a module to the kernel that allows an additional process to snoop on the program's memory and perform the task you want etc.
There are plenty of ways of using the operating system's features to do just about anything you want to, even to other programs. This is intentional. It allows flexibility. There is a reason why new binfmt handlers are added to the front of the list, rather than the back, and that is to allow a new handler to override specific cases that would usually be handled by an old one. You add generic handlers first (typically just the ELF loader these days) and then specific ones afterwards (perhaps a handler for broken ELF files produced by a strange compiler). You don't want to have to load the specific ones first, because specific stuff is less likely to be actually needed, so you really want it to be a module.
that is more due to limitations on NTFS and FAT* than self protection
unix filesystems can delete an in-use file and only physically remove it when it is no longer in use, windows cannot do that. hence having to reboot for so many updates and some configuration changes (such as changing host name)
Windows has been capable of deleting in-use files for the last 5 years (i.e., since XP was launched). Applications, however, are able to prevent open files from being deleted by specifying appropriate locking flags when they open them. See CreateFile and search for FILE_SHARE_DELETE.
Space burials (presumably of cremated remains). At $200 each (plus cremation) I am sure they could sell a few thousand of these per year.
If USAF (as proposed owners of this facility) have any sense at all (which I'll grant is a dubious assertion) they won't be doing this. The last thing we want to put in orbit is a few tens of thousands of small, densely packed projectiles that serve no useful purpose. It'd be a nightmare to track them all.
Of course, the real purpose behind such a launcher is to place the raw materials into space that could be used by a later manned mission. Note that Gerard K. O'Neills groundbreaking study of the economical feasibility of orbital habitats was based on an assumed launch cost of $200/kg.
"Every little helps" is Tesco's current marketing slogan, and is intended to mean something along the lines of "the small amounts of money you save buy buying stuff from us helps you live a happier life". Without being quite so blatant.
For login scripts:
"' or 1=1 --" -- can force a login to succeed in some systems
"' or password='' --" -- works on some systems where that doesn't
For data retrieval scripts:
"' or 1=1 --" -- retrieve all data from the database, not just the record asked for; this is a useful one.
For data update scripts:
"' or 1=1 --" -- update all records in the database, not just the one that's identified
There are many other variations on these.
Yes, not allowing multiple statements mitigates the vulnerability a little. But not a lot.
Perhaps you're trolling, but...
MySQL is not a database.
So how come I can store and retrieve data from it?
It does not support Transactions.
MySQL has supported transactions for something like 5 years now. Sure, early versions didn't support transactions.
It doesn't use normal syntax. Why? Because it's easy.
I've seen a lot of variation in SQL syntax between different vendors. MySQL is nothing unusual in this respect. What specific syntax variation is giving you trouble?
You should probably be using this API, particularly the prepare statement/execute functions of it.
PHP has supported parameter substitution for years. Quit spreading this myth.
The problem is simply that none of the standard "how to program with PHP" introductory texts mention it, but jump straight into low-level MySQL-specific APIs that shouldn't ever be used directly, IMO.
How does not using GET stop anything, you can POST anything you want to a webserver just like you can GET anything you want from a webserver. Only using POST will make things a little harder, but it doesn't stop anything.
Only using POST can limit your exposure area. If a flaw exists in a script that is only accessible to logged-in users, then it cannot be attacked directly by script-kiddies at large. Somehow, they have to get a login to your system first. One possible method of exploitation is sending either a link or HTTP redirect to somebody who is logged in that will exploit the flaw. If you only allow POST variables, this vector won't work, and they'll have to rely on something more complex and less likely to succeed.
It's not great, but it is a useful part of a defense-in-depth strategy.
Look... *I* didn't know that VOD stood for Video on Demand, and I'm employed in professional IT and read slashdot daily. How come 25% of my countrymen know an acronym that I don't...?
You could easily do this yourself for any project you were considering using -- it's a simple application of find + grep. What google has added is the capability of running that search across *all* projects.
Strange. The first thing I thought of was this one.
I started getting spam to the address I put in code I write back in '99 or thereabouts. These days, I get spam to addresses I've never published (and which don't seem to have been randomly guessed, either). My belief is that spammers are using malware to crawl through people's personal files for addresses to send to these days. So there's almost nothing you can do to stop them getting your address now.
Yes. If you do both at once, you're likely to have to hire new temporary staff to handle the upgrade, which is always very expensive. Do them one at a time and your existing staff should be able to handle the load.
Actually, that GUI is a GPU hog.
They surely are in the UK...
You would only buy a microwave oven (excluding VAT) with your $400 over here...
Try these out.
TFA said $1500-2000 on the box. The rest was on top of that.
The truth is, Microsoft has _always_ lied about amount of ram needed since win95 at least. Their definition of minimum amount of ram needed is "it boots but can't do anything else" kinda numbers.
I've run XP on lower-than-minimum RAM before now, and it works. As long as your applications are happy without taking huge amounts of RAM, you'll be fine. All of the standard ones worked fine, as long as you didn't open too many at once.
But then again, everyone here's talking about 256MB and saying this is the minimum spec according to MS: it isn't. The recommended minimum's 64MB. They're only recommending 256 for users with advanced requirements.
Everything I've read on the topic suggests that shared memory graphics will be perfectly adequate for vista. Dell's basic corporate stuff right now comes with a shared memory card capable of 224MB, which should be more than adequate to handle aero. Its pixel shaders run 1600M pixels per second, or enough to render 160 full-screen overlaid windows at a rather higher resolution than most corporations run their displays without dropping frames @50Hz. And I suspect vista is smart enough not to re-render windows that haven't changed.
Many of the corporations I have worked for were extraordinarily cheap, and while they might have an upgrade cycle, they would usually buy the bare minimum machine.
That ties up with my experience too, although clearly not those of some other posters here who felt that most corps would be spending about $1500 per desktop. Whatever, though, the cheapest Optiplex Dell sell right now is adequate to handle Vista + Aero, so I don't see the problem.
Look at a decent (i.e., will be useful in 3 years) Opteron or Latitude right now.
I see one for £400 (about $750, I think). Of course it depends on what you want to be doing with your computers in 3 years time: for *many* businesses, the answer is "pretty much the same thing we're doing now: word processing, running the payroll, e-mail and occasional web browsing". You don't need anything fancy for that.
It also has "soon you won't be able to buy or get support for previous versions anymore" going for it. Apart from that... meh.
The former won't bother corporates, of course, because volume licensing for windows comes with downgrade rights.
So what else besides a shiny new look for the endless parade of "Are you sure you want to run this program?" dialogs does Vista have to offer the corporate user?
The new & improved support for image installation is probably a key point. More detailed security policy settings could also be handy.
corporate workstations generally skip out on the video processor and memory.
While that's true to an extent, it doesn't mean that cheap, current-generation corporate desktop machines won't be good enough to run vista. For instance, the Dell Optiplex GX520 has in Intel GMA950, which supports 224MB of shared memory (more than enough for Vista) and a 400 MHz x 4 pixel-per-clock fully programmable pipeline (pixel shader v3.0, not the v2.0 that Aero requires).
Also, even Microsoft is only claiming 128MB is good enough on a single monitor at up to 1600x1200. Have dual monitors, widescreen, or a really nice display, and you'll need a better video card. Not to play games, just to run the OS.
1. I've never seen a corporate desktop running greater than 1600x1200. Most seem to be on 1280x1024 at the moment.
2. According to MS's claims, 1280x1024 requires 64MB. 128MB, per MS's figures, is enough to run several standard widescreen resolutions; 1920x1200 is the highest such resolution. If you want to run dual screen, you'll need to switch down to 1280 x 900 or lower. Or use all of the 224MB that's available to that graphics card: MS doesn't quote an available resolution for that much memory, but projecting the trend from 64 to 128 you'd get about 3.3 megapixels. Running two 1600x1200 monitors would be pushing it, but twin 1280x1024 displays would be well within bounds.
A twin 1280x1024 display is the most advanced display setup I've ever seen in a corporate setting, BTW, and I've seen quite a few. And that was a programmer's system, so probably not very representative.
As long as I can have lots of big ships stocked to the gills with x2 missile launchers, I don't care.
This is somewhat similar to POSIX capabilities.
During his talk he mentioned a topic that hasn't really been jumped all over by a lot of people since then: signing kernel modules. If nothing else illustrates that
/usr/src/linux-x.x.x dir somewhere, so why couldn't the rootkit installer just fish it out of there and sign their own module...?
it's a good idea, I hope this does.
How would that work? Presumably the private key would need to be stored in the
It seems to me that having root access != having easy backdoor access to exes.
For instance, if I can load a wrapper around your financial program, without modifying your financial program (So AIDE would find it), I could more easily grab your data.
Yes, but there are already so many ways that modification could be made:
* Modify libc.so to perform the task you want (applicable to all modern unix systems)
* Modify ld-linux.so or equivalent to perform the task you want (applicable to all ELF-based systems)
* Modify the system config to automatically load an additional shared library to perform the task you want
* Modify the user's config to automatically load an additional shared library to perform the task you want
* Add a module to the kernel that intercepts the system calls the program wants and performs the task you want
* Add a module to the kernel that allows an additional process to snoop on the program's memory and perform the task you want
etc.
There are plenty of ways of using the operating system's features to do just about anything you want to, even to other programs. This is intentional. It allows flexibility. There is a reason why new binfmt handlers are added to the front of the list, rather than the back, and that is to allow a new handler to override specific cases that would usually be handled by an old one. You add generic handlers first (typically just the ELF loader these days) and then specific ones afterwards (perhaps a handler for broken ELF files produced by a strange compiler). You don't want to have to load the specific ones first, because specific stuff is less likely to be actually needed, so you really want it to be a module.
that is more due to limitations on NTFS and FAT* than self protection
unix filesystems can delete an in-use file and only physically remove it when it is no longer in use, windows cannot do that. hence having to reboot for so many updates and some configuration changes (such as changing host name)
Windows has been capable of deleting in-use files for the last 5 years (i.e., since XP was launched). Applications, however, are able to prevent open files from being deleted by specifying appropriate locking flags when they open them. See CreateFile and search for FILE_SHARE_DELETE.
Space burials (presumably of cremated remains). At $200 each (plus cremation) I am sure they could sell a few thousand of these per year.
If USAF (as proposed owners of this facility) have any sense at all (which I'll grant is a dubious assertion) they won't be doing this. The last thing we want to put in orbit is a few tens of thousands of small, densely packed projectiles that serve no useful purpose. It'd be a nightmare to track them all.
Of course, the real purpose behind such a launcher is to place the raw materials into space that could be used by a later manned mission. Note that Gerard K. O'Neills groundbreaking study of the economical feasibility of orbital habitats was based on an assumed launch cost of $200/kg.
"Every little helps" is Tesco's current marketing slogan, and is intended to mean something along the lines of "the small amounts of money you save buy buying stuff from us helps you live a happier life". Without being quite so blatant.