This would lead to digital-signature forest information overload.
Ed Gerck had soe good websites on the nature of trust, they still seem to be up: http://www.mcg.org.br/
I recommend anyone to read some of the essays there to discover trust and why it's management generally can't be delegated to a machine with a picture of a rosette if it is to mean anything useful.
Some folk have seen a form of str_replace that supposedly gave some form of protection against some kind of XSS and then invoke it in all kinds of unsuitable situations expecting to get the benefits.
The poster said all user input should be parsed with str_replace and striptags - true enough, but the protection is knowing and parsing for the right things, not what you use to parse it.
You're not "OK" because you use str_replace, only if you use str_replace in a way that protects you.
Why don't you use escapeHTML() on the data that you take out of the database to display, or do you really want a database full of html that makes it harder to search and match on or use for anything else apart from a web page.
As far as PHP goes, functions like str_replace(), and striptags() should be used to parse all user-inputed data before it is displayed. I'm sure other serverside scripting languages have similar functions.
But its also possible to use str_replace and striptags in ways that DON'T protect from malformed user input and how are you to know the difference?
Cavalier input processing is another curse of the internet, like email validators that think a-z0-9. are all the characters allowed in an email address, or that complain because my phone number doesn't have any ( ) or has too many characters.
Joe Bloggs
is a valid RFC822 email address, yeah strip tags if you want!
striptags has has a purpose, and thats if you want to strip tags. It wont protect from sql injection, and if the input text isn't actually tagged as such....???
Its this kind of lack of understanding that makes the problem so prevelant.
First it doesn't make sense to htmlencode everything just as id doesn't make sense to addslashes everything (now turned off by default in all good php configurations).
Here's why: Not everything that comes in is to be displayed as html, just as not everything that comes in is destined for the database.
Unless you understand the risks, you can't guard against them though it appears some people are still able to be certain they have guarded against them.
If you do this,
sqlquery("select * from user where username='$user'") then you need to think what the problem is, its a well defined problem, it is that $user may contain a final ' mark and then some; maybe:
$user="jimjoe' or 1'"
so your preferences page now shows the first user in the db, or depending on your web page, all of them.
In php, htmlentities doesn't encode the '
If you are invoking system commands (and yes I one had to do a LOT of this from php) then be careful about shell meta characters like ` ' " and $ in certain cases.
The principle is that you need to make sure the system you are passing data on to interprets it in the literal sense that you require and you cannot do this unless you understand completely how each of the systems you will pass the data on to really does interpret data.
So if your user data is destined for the database, then escape it, something like:
sqlquery(sprintf("select * from user where username='%s'",addslashes($user))); (yes there are other better was of doing it)
If you want to display on the web page inline: echo htmlentities($user); on the other hand if you want to display in an text area I think there is other encoding to use. If it is for a url you need to urlencode and htmlentities but I forget the order.
Many people consider cut-and-pasting the article to be inherently redundant. I generally agree with them
An accurate judgement, no doubt, but the point is this:
Is there any value in moderating the post as redundant - redundant it may be, but useful, and arguably more useful than its moderation as redundant
I'll argue my point, right now I'm running win2k on an 80MB P133 and its not bad. Last week I tried slotting in the old spare win95 disk and it really flew. I wont try redhat 9 on this because when I did it was too deadly slow.
So win2k beats redhat 9 on the same old out of date hardware that linux users claim linux is good on. (and that includes me till about 2 weeks ago).
Thats the conclusion. And you're right, you can't argue with that. I had to accept it.
I was trying debian as a replacement to redhat and installing it on my win95 disk (hence my brief recent foray with win95 on the laptop) and I expect to finish getting debian working.
Nothing like booting off the installation floppy again to get network working and then use the provided shell to chroot the/target and apt-get a few more packages.
So I'll see if Debians distro can beat redhat, and then if it can beat win2k.
I can handle linux. I've been running redhat since series 4, since 5.0 in regular use.
I can patch my own kernels and add the patches to the hundreds of patches in the redhat kernel src rpm.
It just stinks as a desktop os, and I'm finally able to come out and say it now my hope has ran out. It's not worth my saying its good as a desktop OS because I set it up for someone as a desktop OS and it failed. I'll not pretend just to join your club, although I still use it at home.
It's not magically complicated, its just slow and clunky. Redhat is the best IMHO and they are nearly there. But they are not there, and now we hear this.
No doubt the fedora project will pull through, but it wont be any time soon.
1) Yes, I rarely use a mouse, except for a lot of linux X stuff which has no keyboard shortcuts (windows apps generally manage this well) 2) Yes the debian docs are on CD I was trying to do a network install and had no end of trouble trying to find the instructions of WHICH files I needed to burn my bootable floppies and such for the "sarge" install, on account of the ammount of links to general debian commentary, strategy and "join us" type documentation. 3) Yes I like freedom thats why I prefer linux. 4) I use mozilla for email, but on windows.
I've now got some newer peripherals which will need to be working before I make the switch, I hope to make it one day.
No, rude folk like you are why it'll never be ready for the desktop. And your deluded rant is why you'll never see that it doesn't fit the bill yet.
I know what I'm doing with Linux. It works for most things I do, but not my family and friends.
My enlightenment came when I set up linux box for someone else to use as a desktop machine and it was crap.
The performance was crap, mozilla has some stupid crap bugs (like when a frame reloads, other frames with text input boxes that have focus select all the text for some stupid reason so as you keep typing you lose what you already typed).
Yeah, its a small bug but it made it unusable for a major use for this person, cos they like to chat with web-based chat clients. Thats crap I know, but IE can do it.
Dialup-networking control is unweildy.
Open Office is good.
Linux is cool, I love it, I use it, I patch it, I work with it and play with it.
But joe in the street can't.
And by the time he spends money on a box powerful enough to run it he may as well get windows nearly free and be done with the hassle. Thats a fact.
Redhat bloat (and SLOW gnome bloat) is BIGGER and WORSE than windows bloat!
I wont tire of saying that a P400 with 64MB and Redhat 9 + Gnome thrashed disk like mad while the P100 32MB Win95 machine it replaced was much much better.
When I put 200MB in the P400 it stopped thrashing and was only 4 TIMES SLOWER than the P100 with 32MB and win95
Thats GNOME for you, who persue idealistic usability instead of pragmatic usability.
Then don't get me started on Debian, that DOESN'T install the packages containing the kernel modules needed to run the installer until AFTER the next boot when its too late, cos the network card (and PCMCIA) were some of those drivers.
Debian - where the "about" docs are merged with the "join us" docs which are merged with the "instructional" docs so it becomes IMPOSSIBLE to get any information out in any decent ammount of time.
Debian - whose users think apt-get is better than the ("I never heard of it") rpm/up2date of redhat and with much less features.
As you can tell I'm ticked off at Linux on the desktop.
For 2 years I've dual booted, preparing to make the switch, I still haven't been able to do it!
I guess I'm sticking with win2k another couple of years despite my FAT32 my documents to I can use open office from win or linux, thats the ONLY thing that works, with MOZILLA on a NEARLY 2nd best.
To remove something or to remove it and put it back again later or to remove it and remember to put it back later and put it back later or to remove something and be bothered to remember to put it back later and to be bothered to put it back later and to put it back later
Guess whether or not any stories we yanked from the search set were restored, or if we left the cron job running which kept pulling them. *cough* I don't know, but I suspect the cron job may have been stopped when another was started for another trial a lot later, but certainly its not commercially worth the trouble to build such things into the spider and search specially.
So when all the news web-sites have to pull a story because it relates to a trial... will it be pulled from the archive?
Will it be put back after the trial?
Or will it be a highly biased archive where anything that ever went to trial is strangely absent apart from the verdict.
I used to manage the ananova search engine and it was a royal pain to have to yank spidered stories out of the result set, yet the way some websites work (different urls for same story) it would be back in again after a while. Judges don't care for such technical excuses.
More and more money and time in the UK is spent chasing "mostly honest" individuals for the slight slips, why?
Because they don't run, they don't hide and they pay up.
Expect this trend to spread.
Great time and money are spent trapping motorists who speed by as little as 10% such that around speed cameras motorists now take their eyes off the road in order to check their speed to the meter.
Someone will be harrassed by local youths and when provoked to right back, get arrested - why - because they didn't run away.
Expect more of this as law enforcement agencies have to meet their targets they pick easier targets.
Not all law enforcement are like this, I know some who like to target the truly criminal.
Slashdot Mirror
Where is this linux based piano then?
Sam
Do you know why you think RPMs are a bad idea,
/some/file/somewhere
or rather
do you know what makes debians apt-get better than RPM?
As a heavy RPM user I somehow have the opposite opinion and find the apt tools very lacking;
Lets swap knowledge and educate eachother:
rpm -qf
tells me which package an installed file belongs to, very useful.
What can apt-get do?
What does it mean for office XP?
When agencies would rather use something comparable to Office 97?
Sam
You are right.
This would lead to digital-signature forest information overload.
Ed Gerck had soe good websites on the nature of trust, they still seem to be up: http://www.mcg.org.br/
I recommend anyone to read some of the essays there to discover trust and why it's management generally can't be delegated to a machine with a picture of a rosette if it is to mean anything useful.
Sam
Don't be certain that digital signing is such a cure.
The person operating the non-networked signing machine still needs to be sure that what-it-is-that-they-are-signing is what-it-is-supposed-to-be.
Now how does digitial signing on a non-connected machine help you know the source wasn't tampered with?
Probably because debian takes the GPL and licensing issues seriously from the start.
Debian also manages package dependancy hell a bit better AFACT.
I recommended debian for a large project for this reason, though I did later curse it soundly for my personal installation.
Maybe when sarge installer is working a bit better I'll try it again.
Delphi is much more than a wrapper, and this is GOOD news in any case.
I much prefer delphi's wrapper to windows' API.
It's so much easier to do an OnKeyPress, =#13 than it is to look for WM_whatever on the right dlgitem in the dlgproc.
I think so anyway, and if wrapping .net means it is still Delphi, all the better.
As for wxWindows I am very pleased.
Well done Borland.
Thats my point.
Some folk have seen a form of str_replace that supposedly gave some form of protection against some kind of XSS and then invoke it in all kinds of unsuitable situations expecting to get the benefits.
The poster said all user input should be parsed with str_replace and striptags - true enough, but the protection is knowing and parsing for the right things, not what you use to parse it.
You're not "OK" because you use str_replace, only if you use str_replace in a way that protects you.
Why don't you use escapeHTML() on the data that you take out of the database to display, or do you really want a database full of html that makes it harder to search and match on or use for anything else apart from a web page.
Sam
But its also possible to use str_replace and striptags in ways that DON'T protect from malformed user input and how are you to know the difference?
Cavalier input processing is another curse of the internet, like email validators that think a-z0-9. are all the characters allowed in an email address, or that complain because my phone number doesn't have any ( ) or has too many characters.
Joe Bloggs
is a valid RFC822 email address, yeah strip tags if you want!
striptags has has a purpose, and thats if you want to strip tags. It wont protect from sql injection, and if the input text isn't actually tagged as such....???
Sam
*cough*
Its this kind of lack of understanding that makes the problem so prevelant.
First it doesn't make sense to htmlencode everything just as id doesn't make sense to addslashes everything (now turned off by default in all good php configurations).
Here's why: Not everything that comes in is to be displayed as html, just as not everything that comes in is destined for the database.
Unless you understand the risks, you can't guard against them though it appears some people are still able to be certain they have guarded against them.
If you do this,
sqlquery("select * from user where username='$user'") then you need to think what the problem is, its a well defined problem, it is that $user may contain a final ' mark and then some; maybe:
$user="jimjoe' or 1'"
so your preferences page now shows the first user in the db, or depending on your web page, all of them.
In php, htmlentities doesn't encode the '
If you are invoking system commands (and yes I one had to do a LOT of this from php) then be careful about shell meta characters like ` ' " and $ in certain cases.
The principle is that you need to make sure the system you are passing data on to interprets it in the literal sense that you require and you cannot do this unless you understand completely how each of the systems you will pass the data on to really does interpret data.
So if your user data is destined for the database, then escape it, something like:
sqlquery(sprintf("select * from user where username='%s'",addslashes($user)));
(yes there are other better was of doing it)
If you want to display on the web page inline:
echo htmlentities($user);
on the other hand if you want to display in an text area I think there is other encoding to use. If it is for a url you need to urlencode and htmlentities but I forget the order.
Understand the system you are communicating with.
Sam
An accurate judgement, no doubt, but the point is this:
Is there any value in moderating the post as redundant - redundant it may be, but useful, and arguably more useful than its moderation as redundant
You are right, but try this, on a different machine, a 80MB P133 laptop:
Win95 runs like a jackrabbit
win2k chugs a bit
redhat9 with gnome standard install gives me time to get bored and forget what I was clicking on.
(I have 3 slottable hard disks so I used to run either depending what I needed)
I think I do understand the specifics of the performance issues, and hopefully this example involves a little less handwaving.
Sure, gnome has some good plans.
/tmp and pops up on my original desktop still logged in.
But why CORBA? Fat and slow!
And with stupid side effects like this:
If I'm logged on to an Xconsole and run evolution, then get a Xvnc session and run another ximian, guess where it pops up?
Not on my Xvnc, no, ignores $DISPLAY and all that, instead uses my CORBA sockets in
Its the waste, and this kind of behavour that makes me wonder.
You are right about the deficiencies of windows, coupled with the fact that many things in linux can be fixed with another shell script.
Linux is good, just not ready for the average desktop. (Well, home desktop at any rate, corporate lock-downs is another matter)
Sam
Its for this sort of freedom that I appreciate Linux.
I also thankyou for your comments, IceWM may well be worth trying.
If there were some gnome-compatable widget libs that didn't use CORBA I'll be happy and laughing.
I'll mail you, thanks for the offer.
I'll argue my point, right now I'm running win2k on an 80MB P133 and its not bad. Last week I tried slotting in the old spare win95 disk and it really flew. I wont try redhat 9 on this because when I did it was too deadly slow.
/target and apt-get a few more packages.
So win2k beats redhat 9 on the same old out of date hardware that linux users claim linux is good on. (and that includes me till about 2 weeks ago).
Thats the conclusion. And you're right, you can't argue with that. I had to accept it.
I was trying debian as a replacement to redhat and installing it on my win95 disk (hence my brief recent foray with win95 on the laptop) and I expect to finish getting debian working.
Nothing like booting off the installation floppy again to get network working and then use the provided shell to chroot the
So I'll see if Debians distro can beat redhat, and then if it can beat win2k.
I can handle linux. I've been running redhat since series 4, since 5.0 in regular use.
I can patch my own kernels and add the patches to the hundreds of patches in the redhat kernel src rpm.
It just stinks as a desktop os, and I'm finally able to come out and say it now my hope has ran out. It's not worth my saying its good as a desktop OS because I set it up for someone as a desktop OS and it failed. I'll not pretend just to join your club, although I still use it at home.
It's not magically complicated, its just slow and clunky. Redhat is the best IMHO and they are nearly there. But they are not there, and now we hear this.
No doubt the fedora project will pull through, but it wont be any time soon.
1) Yes, I rarely use a mouse, except for a lot of linux X stuff which has no keyboard shortcuts (windows apps generally manage this well)
2) Yes the debian docs are on CD
I was trying to do a network install and had no end of trouble trying to find the instructions of WHICH files I needed to burn my bootable floppies and such for the "sarge" install, on account of the ammount of links to general debian commentary, strategy and "join us" type documentation.
3) Yes I like freedom thats why I prefer linux.
4) I use mozilla for email, but on windows.
I've now got some newer peripherals which will need to be working before I make the switch, I hope to make it one day.
No, rude folk like you are why it'll never be ready for the desktop. And your deluded rant is why you'll never see that it doesn't fit the bill yet.
I know what I'm doing with Linux. It works for most things I do, but not my family and friends.
My enlightenment came when I set up linux box for someone else to use as a desktop machine and it was crap.
The performance was crap, mozilla has some stupid crap bugs (like when a frame reloads, other frames with text input boxes that have focus select all the text for some stupid reason so as you keep typing you lose what you already typed).
Yeah, its a small bug but it made it unusable for a major use for this person, cos they like to chat with web-based chat clients. Thats crap I know, but IE can do it.
Dialup-networking control is unweildy.
Open Office is good.
Linux is cool, I love it, I use it, I patch it, I work with it and play with it.
But joe in the street can't.
And by the time he spends money on a box powerful enough to run it he may as well get windows nearly free and be done with the hassle. Thats a fact.
Hey my 80MB P133 tecra laptop handles win2k better than it handles redhat 9 and waay better than that desktop box handled redhat 9.
Desktop/Graphical Linux these days generally means bloat (unless you use XFCE).
Just because you can draw fancy comparisions doesn't mean my tests were deluded.
Sam
Well my P133 80MB RAM Toshiba Tecra laptop handles win2k WAAAYYY better than the P400 desktop handled redhat 9.
And I dont run redhat 9 on my tecra, it could cope with 7.2 just about.
Lets just say that a 4x faster machine with 8x RAM was 4x slower than win95. I don't call that benefits of an up to date OS.
Sam
Redhat bloat (and SLOW gnome bloat) is BIGGER and WORSE than windows bloat!
I wont tire of saying that a P400 with 64MB and Redhat 9 + Gnome thrashed disk like mad while the P100 32MB Win95 machine it replaced was much much better.
When I put 200MB in the P400 it stopped thrashing and was only 4 TIMES SLOWER than the P100 with 32MB and win95
Thats GNOME for you, who persue idealistic usability instead of pragmatic usability.
Then don't get me started on Debian, that DOESN'T install the packages containing the kernel modules needed to run the installer until AFTER the next boot when its too late, cos the network card (and PCMCIA) were some of those drivers.
Debian - where the "about" docs are merged with the "join us" docs which are merged with the "instructional" docs so it becomes IMPOSSIBLE to get any information out in any decent ammount of time.
Debian - whose users think apt-get is better than the ("I never heard of it") rpm/up2date of redhat and with much less features.
As you can tell I'm ticked off at Linux on the desktop.
For 2 years I've dual booted, preparing to make the switch, I still haven't been able to do it!
I guess I'm sticking with win2k another couple of years despite my FAT32 my documents to I can use open office from win or linux, thats the ONLY thing that works, with MOZILLA on a NEARLY 2nd best.
Desktop Linux is nowhere soon.
Sam
Yeah, but guess whats easiest?
To remove something
or
to remove it and put it back again later
or
to remove it and remember to put it back later and put it back later
or
to remove something and be bothered to remember to put it back later and to be bothered to put it back later and to put it back later
Guess whether or not any stories we yanked from the search set were restored, or if we left the cron job running which kept pulling them.
*cough*
I don't know, but I suspect the cron job may have been stopped when another was started for another trial a lot later, but certainly its not commercially worth the trouble to build such things into the spider and search specially.
So when all the news web-sites have to pull a story because it relates to a trial... will it be pulled from the archive?
Will it be put back after the trial?
Or will it be a highly biased archive where anything that ever went to trial is strangely absent apart from the verdict.
I used to manage the ananova search engine and it was a royal pain to have to yank spidered stories out of the result set, yet the way some websites work (different urls for same story) it would be back in again after a while. Judges don't care for such technical excuses.
More and more money and time in the UK is spent chasing "mostly honest" individuals for the slight slips, why?
Because they don't run, they don't hide and they pay up.
Expect this trend to spread.
Great time and money are spent trapping motorists who speed by as little as 10% such that around speed cameras motorists now take their eyes off the road in order to check their speed to the meter.
Someone will be harrassed by local youths and when provoked to right back, get arrested - why - because they didn't run away.
Expect more of this as law enforcement agencies have to meet their targets they pick easier targets.
Not all law enforcement are like this, I know some who like to target the truly criminal.
However...