As you can see, my current e-mail isn't too readable:) In order to tell it someone by phone I have to decipher host name: Department of Electromagnetic Processes and atomic Nuclei Interactions, Skobeltsyn Institute of Nuclear Physics, Moscow State University, RUssia. So gmail account would be helpful. As of other free e-mail providers - I despise them.
I've heard that the neural network of human brain has calculation speed of 4.4 TFLOPS. How soon these machines will start to THINK? Seems like what we need now is just more storage capacity and some well-written "thinking" software...
The problem is that M$ breeds stupid programmers... It tries hard to make complex stuff look easy, while it would be better to introduce some minimum IQ requirements for writing server-side code.
For sites that don't run as sa, the most bad thing is OPENROWSET that allows one to send results to a remote SQL server. There's a good paper on that topic.
To avoid SQL injection possibility, the most intuitive way is using placeholders. In ASP.NET (ADO.NET) code written using command.Parameters.Add(...) etc. looks better than
"select * from users where userid='" + userid + "' and password='" + password + "'"
but people still tend to use the latter construct. So, one often can use
There's pretty simple explanation why stealing data is so easy... Go to www.google.com. Type
order inurl:asp?id
. You'll see a lot of pages related to online stores that are based on ASP and get some ID from Request(...). Now follow one of the links, then replace a number after id with '. What you will see?
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quote before the character string ' AND HostID = 319'.
/../responseRedirect.asp, line 10
What does this mean? This means that site was made by a not-so-good Visual Basic programmer, who learned this "wonderful" language and now thinks that he can do server-side code. Implications? Most likely, ALL DATA FROM DB CAN BE STOLEN. All you need is MSDE and a bit of programming. SQL Server is flexible enough to allow theft of all data via this "small" SQL Injection hole.
So, the main problem is Microsoft, and, of course, stupid programmers. They mostly use ASP, and now they are slowly migrating to ASP.NET (aspx). Also, there are PHP guys who use include($page) without any filtering, but it's somewhat less common. SQL injection is also less dangerous for PHP+MySQL sites, as MySQL is less "flexible".
Sadly, I don't know what can be done to solve this... Microsoft will continue to exist, and stupid programmers, in most cases, have bugs in their DNA - so education won't help...
Slashdot Mirror
ivan_iv AT depni, sinp, msu, ru
As you can see, my current e-mail isn't too readable :) In order to tell it someone by phone I have to decipher host name: Department of Electromagnetic Processes and atomic Nuclei Interactions, Skobeltsyn Institute of Nuclear Physics, Moscow State University, RUssia. So gmail account would be helpful. As of other free e-mail providers - I despise them.
I've heard that the neural network of human brain has calculation speed of 4.4 TFLOPS. How soon these machines will start to THINK? Seems like what we need now is just more storage capacity and some well-written "thinking" software...
The problem is that M$ breeds stupid programmers... It tries hard to make complex stuff look easy, while it would be better to introduce some minimum IQ requirements for writing server-side code.
To avoid SQL injection possibility, the most intuitive way is using placeholders. In ASP.NET (ADO.NET) code written using command.Parameters.Add(...) etc. looks better than
but people still tend to use the latter construct. So, one often can use as an admin password.So, the main problem is Microsoft, and, of course, stupid programmers. They mostly use ASP, and now they are slowly migrating to ASP.NET (aspx). Also, there are PHP guys who use include($page) without any filtering, but it's somewhat less common. SQL injection is also less dangerous for PHP+MySQL sites, as MySQL is less "flexible".
Sadly, I don't know what can be done to solve this... Microsoft will continue to exist, and stupid programmers, in most cases, have bugs in their DNA - so education won't help...