In the Netherlands (and apparently other parts of Europe), driving "intelligently" became a big focus a few years ago. Public service announcements were trying to get people to better anticipate traffic, drive at a steady speed, etc. Since I no longer live there I have no idea if it had any effect or not.
Overriding the Object() constructor to do what they did is currently not possible in all browsers, due to the need for "setter" functions. However, since this is now part of JavaScript 1.5, I'm assuming all browsers will have this feature sooner or later. Also, overriding using "function Object" or even "Object.prototype.constructor" currently does not appear to be possible in all browsers. Regardless, the concept of overriding the constructor is valid and in Firefox it's even possible right now.
I like Google's "while(1)" approach. A simpler way may be to include "//" as the first two characters. Any JSON object should become un-parseable if the first bracket (plus maybe more) is commented out.
If your AJAX implementation simply returns JSON data ({json}), there is nothing to worry about. However, if something like "parseData({json})" or "data={json}" is returned (either naively, or on purpose to support cross-domain calls), then you are vulnerable.
Makes me wonder what exactly these vulnerable AJAX toolkits are doing, and why.
Ofcourse they'd say that. It's one thing to say "our product is better". It's another to claim your competition (as well as the customer you want to do business with) is doing something illegal. If they lose the former argument, they can say "our next version will be better". If they lose the latter, all they can say is "oops" and look bad.
They're not saying it. But my guess is they're thinking it. Heck, they might even know it if they also paid/offered an under-the-table amount but simply got "out-bid" by AutoMARK...
Diebold was so confident they'd win, that they now suspect foul play. If AutoMARK machines were indeed picked not based on superiority but instead based on under-the-table transactions between AutoMARK and the State, then that's not cool. If Diebold wants to invest money into investigating that possibility, then I say let them.
This is win-win: either Diebold wastes a bunch of money, or some corrupt people are exposed. Yay.
BRIAN: Are you the Open Software Foundation? REG: Fuck off! BRIAN: What? REG: Open Software Foundation. We're the Open Solutions Alliance! Open Software Foundation. Cawk. FRANCIS: Wankers.
The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.
Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.
(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)
Netscape Restores RSS DTD, Until July - from the that's-kinda-lame dept. Two Stargate SG1 Films Announced - from the good-for-them dept. Linux: x86 Linux Flash Player 9 is Final - from the i-still-hate-flash dept.
Looks like somebody is having a case of the mondays.
Just out of curiosity: on evolution, which side is the "views that are held by very small minorities of people", and which side is the "views that are extensively proven and supported"?
FIRST : stop forcing prepared binded statements for all From the looks of it, you're equating "prepared binded statements" with "one single hardcoded statement with parameters". That doesn't have to be the case. You should still use binds to pass the user-input to the SQL statement, but that doesn't prevent you from using:
$sql = "SELECT * FROM myData WHERE CONTAINS (column,"; if ( something ) {
$sql.= "?)"; } else {
$sql.= "'FORMSOF (INFLECTIONAL, ' + ? + ')')"; }
You can write your statement as varied as you want. Just ensure that user-input can't affect what you intend the statement to do (and binds are the safest, most future-proof way to do this).
SECOND : parameter binding through naming If MySQL and/or PHP doesn't support this, then that's too bad. There is no reason why they can't support it. For example using Oracle and Perl's DBI package you can do:
But if you "cant wait" for when this is available, you are apparently willing to use it. Then the only argument against using the (slightly more cumbersome, but no less secure) version that uses numbered placeholders is... laziness. I think.
THIRD : i want to see the final SQL For debugging, that's a valid argument. However, if you set it all up correctly, you'll end up with EXACTLY the final SQL, minus the user-entered values. For debugging correctness of your SQL, this should be more than enough. If you are doing performance testing, having the "base" SQL handy and executing it manually by search-and-replacing the "?"s couldn't be easier.
Other than technical reasons (such as "the version of the database doesn't support it"), there is no good reason not to use bind variables when combining user-input with a SQL statement.
Isn't this exactly what Ubuntu is doing (minus the easy conversion wizard)? They "throw around" CDs, and even try to send you more CDs than you need so you'll hand them to your friends.
So all they need is a snappy mascot. I nominate him.
They may not have included "Fit to width" mode in the Wii version of Opera, but they included "Small screen" mode (renamed to "Single column" mode), which should be exactly what you're describing:
Single column mode: To view the Web page in new way, select single column mode to get your content stacked. This mode is similar to Opera's Small Screen Rendering technology for mobile phones and other small screen devices, and is useful when viewing content from a distance.
Slashdot Mirror
So, yeah, let's talk about this. Anyone? Anyone? Bueller? Bueller?
In the Netherlands (and apparently other parts of Europe), driving "intelligently" became a big focus a few years ago. Public service announcements were trying to get people to better anticipate traffic, drive at a steady speed, etc. Since I no longer live there I have no idea if it had any effect or not.
http://www.hetnieuwerijden.nl/english.html
http://www.ecodrive.org/
Go
No, not really. I just wanted to look like a nerd.
And gluing a penny to the top of your PC lets you use imported software.
It's true! Try it!
Overriding the Object() constructor to do what they did is currently not possible in all browsers, due to the need for "setter" functions. However, since this is now part of JavaScript 1.5, I'm assuming all browsers will have this feature sooner or later. Also, overriding using "function Object" or even "Object.prototype.constructor" currently does not appear to be possible in all browsers. Regardless, the concept of overriding the constructor is valid and in Firefox it's even possible right now.
I like Google's "while(1)" approach. A simpler way may be to include "//" as the first two characters. Any JSON object should become un-parseable if the first bracket (plus maybe more) is commented out.
Never mind. I noticed the other comment you posted in which you provide the URL. Thanks!
Who is "they", and where do they use that example?
(Not questioning what you said, I just want to learn more.)
+1 Insightful
If your AJAX implementation simply returns JSON data ({json}), there is nothing to worry about. However, if something like "parseData({json})" or "data={json}" is returned (either naively, or on purpose to support cross-domain calls), then you are vulnerable.
Makes me wonder what exactly these vulnerable AJAX toolkits are doing, and why.
they specifically say it isn't about corruption
Ofcourse they'd say that. It's one thing to say "our product is better". It's another to claim your competition (as well as the customer you want to do business with) is doing something illegal. If they lose the former argument, they can say "our next version will be better". If they lose the latter, all they can say is "oops" and look bad.
They're not saying it. But my guess is they're thinking it. Heck, they might even know it if they also paid/offered an under-the-table amount but simply got "out-bid" by AutoMARK...
Diebold was so confident they'd win, that they now suspect foul play. If AutoMARK machines were indeed picked not based on superiority but instead based on under-the-table transactions between AutoMARK and the State, then that's not cool. If Diebold wants to invest money into investigating that possibility, then I say let them.
This is win-win: either Diebold wastes a bunch of money, or some corrupt people are exposed. Yay.
I hate you now. Thank you.
BRIAN: Are you the Open Software Foundation?
REG: Fuck off!
BRIAN: What?
REG: Open Software Foundation. We're the Open Solutions Alliance! Open Software Foundation. Cawk.
FRANCIS: Wankers.
Because they're called Diebold. Not Diebold.
Duh.
ball-peen
Thank you for a very good (although incredibly immature) laughing fit.
The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.
Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.
(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)
Netscape Restores RSS DTD, Until July - from the that's-kinda-lame dept.
Two Stargate SG1 Films Announced - from the good-for-them dept.
Linux: x86 Linux Flash Player 9 is Final - from the i-still-hate-flash dept.
Looks like somebody is having a case of the mondays.
(On Wednesday.)
Wouldn't that make it a bad example of a /. story?
*rimshot*
Just out of curiosity: on evolution, which side is the "views that are held by very small minorities of people", and which side is the "views that are extensively proven and supported"?
From the looks of it, you're equating "prepared binded statements" with "one single hardcoded statement with parameters". That doesn't have to be the case. You should still use binds to pass the user-input to the SQL statement, but that doesn't prevent you from using: You can write your statement as varied as you want. Just ensure that user-input can't affect what you intend the statement to do (and binds are the safest, most future-proof way to do this).
SECOND : parameter binding through naming
If MySQL and/or PHP doesn't support this, then that's too bad. There is no reason why they can't support it. For example using Oracle and Perl's DBI package you can do: But if you "cant wait" for when this is available, you are apparently willing to use it. Then the only argument against using the (slightly more cumbersome, but no less secure) version that uses numbered placeholders is... laziness. I think.
THIRD : i want to see the final SQL
For debugging, that's a valid argument. However, if you set it all up correctly, you'll end up with EXACTLY the final SQL, minus the user-entered values. For debugging correctness of your SQL, this should be more than enough. If you are doing performance testing, having the "base" SQL handy and executing it manually by search-and-replacing the "?"s couldn't be easier.
Other than technical reasons (such as "the version of the database doesn't support it"), there is no good reason not to use bind variables when combining user-input with a SQL statement.
Isn't this exactly what Ubuntu is doing (minus the easy conversion wizard)? They "throw around" CDs, and even try to send you more CDs than you need so you'll hand them to your friends.
So all they need is a snappy mascot. I nominate him.
Having visited both links, I can honestly say I liked the first one better.
No, YOU suck!
Doesn't this simply mean that Bush didn't understand what he signed, and mis-summarized the bill?
Don't attribute to malice, yada, yada...
Opera (at least on the desktop) has an option View->"Fit to width" that does just that. I'm surprised they haven't included it in the Wii version.