According to the documentation: mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This does nothing against the attack I described. If you called mysql_real_escape_string() on the code I gave you, you will still end up with an SQL string of:
"SELECT * FROM MyTable WHERE MyID = 1 OR 1 = 1"
As for your other suggestion about forcing everything to string in the database...
I am reaching the opinion that most people who work with MySQL seriously need to spend some time with a real database. It seems to retard understanding of basic database concepts.
You should understand that the torture methods used by the CIA are employed to save lives.
And when Nazi scientists experimented with freezing treatments on Jewish concentration camp inmates it was also to save lives (in this case the lives of Luftwaffe pilots falling into the North Sea). Equally if you follow the arguments of Steven Levitt oon abortion saving lives (in this case of people not being murdered), you could take the same view. However in both cases the cost of saving those lives is too high.
There are too many problems with torture to go into but lets begin with a copule:
1. It does not produce the truth, it produces confessions. If that is the aim then, moral considerations aside, it is effective. But for the "war on terror" we are torturing poeple to gain the truth. People under torture will say what they think the torturer wants to hear, not necessarily the truth, just so that the torture can stop. Hence the use of torture was very useful for Stalin in retrieving confessions for show trials
2. The other issue is what you do with innocent people who were tortured. There certainly will be some.
3. Historically torture has been abused when it has been applied....that preschool world just isn't the one we live in
I'm sorry you seem to inhabit a preschool world, when the CIA are white knights protecting us. The evidence of the last couple of years would seem to suggest that they are not entirely benevolent and that they not entirely competant (which also leads to innocent people being detained).
I think you need to consider the implications of your position. You are effectively saying that you could see Jesus pouring the water on the cloth over somone's face, knowing that they think that they are drowning.
BTW your resume link on your homepage (http://www.afn.org/~afn31208/resume.html) 404s.
Waterboarding, as sick as it may be still seems like a reasonable practice given the cases that the CIA deals with.
I think the question we should ask the ilogger is if torture is truely wrong...
I (as a christian) find it hard to understand how someone can reconcile being a christian with asking this question. How can you consider that torture is justified.
Regardless, just considering physical damage is a pretty shallow way to look at torture. You are likely to do psychological damage.
I've read about waterboarding. I read about it before it became popular, in the account of a prisoner in the Korean war. There was no doubt in his mind that this was torture. I've read comments by those who survived through being captured by the japanese during WWII. They experienced, among other things, fake executions. Their comment on this was that they would have preferred a beating (resulting in physical damage) to a mock execution (resuting in no physical damage).
The problem is that DC has in fact "let people run around with guns". There are no stiff penalties for carrying a gun (illegal or otherwise). You are also able to get a gun from a neighbouring state (buy or steal). So in effect: 1. The supply of guns has not been cut off 2. There is no strong dis-incentive to carry a gun
I think it would be interesting to see some serious jail time imposed for anyone found breaking these laws. Say maybe 5 years. Then lets see what the results are.
We have one query where the user can input around 30 pieces of data and they're all optional.
Not particularly. I won't say that it performs fantastically but you can certainly do it. Simple example:
CREATE PROCEDURE MyProc @optVar Int AS
SET NOCOUNT ON
SELECT Foo FROM Bar WHERE (@optVar = Bar.opt OR @optVar IS NULL)
You can also add custom sorting to procs, but that can get messier. I'd still argue that this is no less messy than generating the SQL, although it tends to perform less well. You'd probably want a WITH RECOMPILE on the proc.
It isn't just unescaped strings. You need to force variables to their correct types. Suppose you expect an int input, which someone sends in a string. Say your code looks like this: $sql = "SELECT * FROM MyTable WHERE MyID = " . $var;
if $var contains "1 OR 1=1" then you will have problems.
.. because avoiding SQL injection is relatively easy to do.
1. Use only prepared statements or stored procedures (Note even without concerned of SQL injection this is a good idea).
2. If you use stored procedures do not use any of the passed in values to generate dynamic SQL (otherwise you have just moved the problem from the app to the database).
I'm finding it kind of hard to take the article seriously.
What is an IT Stack? Is that where you go on a team building exercise and have to make a pyramid (with sys admins at the bottom)?
or quotes like this: A few years ago, microsoft threw around the.Net moniker so aggressively in so many areas that it became difficult to figure out exactly what the term meant. But, as all the irrational exuberance that comes with a failed marketing blitz finally pulled back,.Net went back to being what it was originally intended to be: the name of Microsoft's server and service stack.
First sentence is fine. Second isn't..Net is not "the name of Microsoft's server and service stack". It is an application framework. What is a "server and service stack"?
In fact, why has eWeek decided to call everything a "stack"?
Equally (and they do acknowledge this), it seems to be much more a test of particular applications.
I understand the need to dumb things down a little, but seriously.
Current beta testers, pulled from the EveryDNS.net, are also begging OpenDNS to redirect clear typos, such as "wikepedia.org" (instead of "wikipedia.org"), away from typo-squatters who set up pages with advertising to cash-in on errant keystrokes, something Ulevitch seems game to implement.
So if I want to visit a domain that is close to a big domain, I'm likely to get redirected?
It sounds more like he is breaking DNS, in ways that may make it more helpful for some people.
FTA: Through its spokeswoman, Microsoft said that "80% of all WGA validation failures are due to unauthorized use of leaked or stolen volume license keys."
How about asking him about standards support in the current browser?
How about asking him what they are going to do about standards support in the future? Will they use open standards (if they exist) rather than defining their own? Will they open up any new standards they define?
They should also ask him about extensibility for the browser and what they are doing to encourage developers to write extensions for the browser. The single best feature of Firefox is that there are so many good extensions.
That would be fine, if young female culture didn't often take statutory rape -- that is, having sex with some 20 year old when you're 14 -- as some sort of bizzare badge of honour and something to be actively sought.
Ok I think that is quite enough.
Does that change the fact that the 20 year old has a resposiblity in this situation? Not to have sex with a 14 year old? Is is somehow really hard to identify someone who is only a few years into high school?
This is just as bad as the girl and her mother suing MySpace. Wahh, waah it isn't my responsibility. It is someone else's responsibility.
Now India will feel the pain as jobs are outsourced to Asia and Eastern Europe where rates are cheaper! Pretty soon, people in Zimbabwe will be coding:)
Like hell they will be. You need a stable country first and that isn't happening any time soon. I'm not sure what news you are getting about Zimbabwe, but I know a missionary working there and a friend who has visited. There are massive food and petrol shortages and rampant inflation. A little over a year ago the government decided to make 10-20% of the population homeless by bulldozing their houses and shanties. This is aside from the rate of AIDS infection in the country (hard to measure accurately but thought to be >20%).
Did you know that legal abortion seems to be responsible for about half of the falling crime rate in the 90's? Suprised me too. But it makes a lot of sense if you take the time to think about it.
You should read the fuller article, eg in Freakanomics. The conclusion of the article is that while it may have cut the crime rates, it wasn't worth it. Examining just the murders and comparing the number of murders prevented by abortions with the number of abortions performed and multiplying the number of abortions by a factor (taken as 1/100, in other words saying that a fetus is worth 1/100th of an person) you come to the conclusion we would have been better off without the abortions.
Slashdot Mirror
PHP's mysql_real_escape_string() won't do squat.
...
According to the documentation:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This does nothing against the attack I described. If you called mysql_real_escape_string() on the code I gave you, you will still end up with an SQL string of:
"SELECT * FROM MyTable WHERE MyID = 1 OR 1 = 1"
As for your other suggestion about forcing everything to string in the database
I am reaching the opinion that most people who work with MySQL seriously need to spend some time with a real database. It seems to retard understanding of basic database concepts.
You should understand that the torture methods used by the CIA are employed to save lives.
...that preschool world just isn't the one we live in
And when Nazi scientists experimented with freezing treatments on Jewish concentration camp inmates it was also to save lives (in this case the lives of Luftwaffe pilots falling into the North Sea). Equally if you follow the arguments of Steven Levitt oon abortion saving lives (in this case of people not being murdered), you could take the same view. However in both cases the cost of saving those lives is too high.
There are too many problems with torture to go into but lets begin with a copule:
1. It does not produce the truth, it produces confessions. If that is the aim then, moral considerations aside, it is effective. But for the "war on terror" we are torturing poeple to gain the truth. People under torture will say what they think the torturer wants to hear, not necessarily the truth, just so that the torture can stop. Hence the use of torture was very useful for Stalin in retrieving confessions for show trials
2. The other issue is what you do with innocent people who were tortured. There certainly will be some.
3. Historically torture has been abused when it has been applied.
I'm sorry you seem to inhabit a preschool world, when the CIA are white knights protecting us. The evidence of the last couple of years would seem to suggest that they are not entirely benevolent and that they not entirely competant (which also leads to innocent people being detained).
I think you need to consider the implications of your position. You are effectively saying that you could see Jesus pouring the water on the cloth over somone's face, knowing that they think that they are drowning.
BTW your resume link on your homepage (http://www.afn.org/~afn31208/resume.html) 404s.
Waterboarding, as sick as it may be still seems like a reasonable practice given the cases that the CIA deals with.
I think the question we should ask the ilogger is if torture is truely wrong...
I (as a christian) find it hard to understand how someone can reconcile being a christian with asking this question. How can you consider that torture is justified.
Regardless, just considering physical damage is a pretty shallow way to look at torture. You are likely to do psychological damage.
I've read about waterboarding. I read about it before it became popular, in the account of a prisoner in the Korean war. There was no doubt in his mind that this was torture. I've read comments by those who survived through being captured by the japanese during WWII. They experienced, among other things, fake executions. Their comment on this was that they would have preferred a beating (resulting in physical damage) to a mock execution (resuting in no physical damage).
Either change your sig or change your behaviour.
Indeed. Aluminium used to be very rare and was prized as a result.
link
I've seen this comment before.
The problem is that DC has in fact "let people run around with guns". There are no stiff penalties for carrying a gun (illegal or otherwise). You are also able to get a gun from a neighbouring state (buy or steal). So in effect:
1. The supply of guns has not been cut off
2. There is no strong dis-incentive to carry a gun
I think it would be interesting to see some serious jail time imposed for anyone found breaking these laws. Say maybe 5 years. Then lets see what the results are.
More to the point firefox should include a "print" option in their context menu for the page and the frame.
No offence but given OpenBSD's security record I think I'd take Theo's views over yours.
We have one query where the user can input around 30 pieces of data and they're all optional.
Not particularly. I won't say that it performs fantastically but you can certainly do it. Simple example:
CREATE PROCEDURE MyProc
@optVar Int
AS
SET NOCOUNT ON
SELECT Foo
FROM Bar
WHERE (@optVar = Bar.opt OR @optVar IS NULL)
You can also add custom sorting to procs, but that can get messier. I'd still argue that this is no less messy than generating the SQL, although it tends to perform less well. You'd probably want a WITH RECOMPILE on the proc.
It isn't just unescaped strings. You need to force variables to their correct types. Suppose you expect an int input, which someone sends in a string. Say your code looks like this:
$sql = "SELECT * FROM MyTable WHERE MyID = " . $var;
if $var contains "1 OR 1=1" then you will have problems.
.. because avoiding SQL injection is relatively easy to do.
1. Use only prepared statements or stored procedures (Note even without concerned of SQL injection this is a good idea).
2. If you use stored procedures do not use any of the passed in values to generate dynamic SQL (otherwise you have just moved the problem from the app to the database).
I'm finding it kind of hard to take the article seriously.
.Net moniker so aggressively in so many areas that it became difficult to figure out exactly what the term meant. But, as all the irrational exuberance that comes with a failed marketing blitz finally pulled back, .Net went back to being what it was originally intended to be: the name of Microsoft's server and service stack.
.Net is not "the name of Microsoft's server and service stack". It is an application framework. What is a "server and service stack"?
What is an IT Stack? Is that where you go on a team building exercise and have to make a pyramid (with sys admins at the bottom)?
or quotes like this:
A few years ago, microsoft threw around the
First sentence is fine. Second isn't.
In fact, why has eWeek decided to call everything a "stack"?
Equally (and they do acknowledge this), it seems to be much more a test of particular applications.
I understand the need to dumb things down a little, but seriously.
Current beta testers, pulled from the EveryDNS.net, are also begging OpenDNS to redirect clear typos, such as "wikepedia.org" (instead of "wikipedia.org"), away from typo-squatters who set up pages with advertising to cash-in on errant keystrokes, something Ulevitch seems game to implement.
So if I want to visit a domain that is close to a big domain, I'm likely to get redirected?
It sounds more like he is breaking DNS, in ways that may make it more helpful for some people.
It can happen (if you take the word of eMusic).
That is correct. To be precise they were persian.
On a second note, noone actually voted for John Howard. He is a figure head of the party we voted for.
That is not quite true. The members of his electorate voted for him.
Thanks for the correction. I misread that sentence to say that 20% of the time WGA was wrong when it flagged a machine as unauthorized.
People don't like to laugh alone. Well, except for mad scientists. Most people watching TV are either alone or with few people.
Visual Studio is now free.
Visual Studio Express is free, not Visual Studio. Big difference.
Office can be had for $150.
If you are a student. You are hardly legal if you buy a student copy of office and aren't a student.
FTA:
Through its spokeswoman, Microsoft said that "80% of all WGA validation failures are due to unauthorized use of leaked or stolen volume license keys."
20% is a pretty bad false positive rate.
Money.
My understanding is that some of the techniques and discoveries relating to adult stem cell are patented.
How about asking him about standards support in the current browser?
How about asking him what they are going to do about standards support in the future? Will they use open standards (if they exist) rather than defining their own? Will they open up any new standards they define?
They should also ask him about extensibility for the browser and what they are doing to encourage developers to write extensions for the browser. The single best feature of Firefox is that there are so many good extensions.
How exactly did that j migrate 4 letters?
Ok I think that is quite enough.
Does that change the fact that the 20 year old has a resposiblity in this situation? Not to have sex with a 14 year old? Is is somehow really hard to identify someone who is only a few years into high school?
This is just as bad as the girl and her mother suing MySpace. Wahh, waah it isn't my responsibility. It is someone else's responsibility.
Now India will feel the pain as jobs are outsourced to Asia and Eastern Europe where rates are cheaper! Pretty soon, people in Zimbabwe will be coding :)
Like hell they will be. You need a stable country first and that isn't happening any time soon. I'm not sure what news you are getting about Zimbabwe, but I know a missionary working there and a friend who has visited. There are massive food and petrol shortages and rampant inflation. A little over a year ago the government decided to make 10-20% of the population homeless by bulldozing their houses and shanties. This is aside from the rate of AIDS infection in the country (hard to measure accurately but thought to be >20%).
You should read the fuller article, eg in Freakanomics. The conclusion of the article is that while it may have cut the crime rates, it wasn't worth it. Examining just the murders and comparing the number of murders prevented by abortions with the number of abortions performed and multiplying the number of abortions by a factor (taken as 1/100, in other words saying that a fetus is worth 1/100th of an person) you come to the conclusion we would have been better off without the abortions.