|
yaoi prophet posted:Fortunately nobody is going to be searching for stuff including backslashes in our data. Remember where you were when you said this.
|
# ? Mar 27, 2011 11:59 |
|
|
# ? May 17, 2024 19:35 |
|
pokeyman posted:Remember where you were when you said this. At least it'll fail safe e: turns out the problem was an addslashes doubling up my backslashes. Opinion Haver fucked around with this message at 12:49 on Mar 27, 2011 |
# ? Mar 27, 2011 12:36 |
|
yaoi prophet posted:At least it'll fail safe Whats going on here...
|
# ? Mar 27, 2011 19:53 |
|
yaoi prophet posted:
No, it's no good. I have read this three times and I have absolutely no idea why you are having a problem at all. Yes, there is almost certainly a hilarious way to embed UPDATE/DELETEs into a SELECT. Yes, there are many other much more damaging things that could be done to your database than simply deleting data from it. No, the database being "not secret or anything" doesn't mean you don't need to protect against this. No, the fact that it would take "a weekend of number crunching" to repair the database doesn't mean you don't need to protect against this. At the outset, you should have been able to completely solve your problem by wrapping single quotes and mysql_real_escape_string() around all of your fields. If this didn't work, you must have been doing something very wrong, but the fact that you haven't even mentioned trying this is even wronger. Prepared statements, almost by definition, have absolutely no problem with the escaping of backslashes because correct quoting and escaping is handled automatically. You can't even override it! So if you're still having problems there, then, again, something is very wrong. There is no circumstance in which you should be escaping a PHP variable for inclusion into a MySQL query manually. Also, as I mentioned, the function you're using to "escape" your string is apocalyptically broken. And even if it wasn't, which it is, you should be using str_replace(), not preg_replace(). yaoi prophet posted:Fortunately nobody is going to be searching for stuff including backslashes in our data. yaoi prophet posted:At least it'll fail safe If people searching for backslashes can break your query then your query is broken. It is very easy to make dynamic MySQL queries 100% safe, and there is no excuse for not doing so. I have no idea what "fail safe" is supposed to mean. Basically what I'm saying is that everything in this scenario is a horror except for PHP and MySQL.
|
# ? Mar 27, 2011 21:27 |
|
"yaoi prophet," do you work on mysql.com? MySQL.com Vulnerable To Blind SQL Injection Vulnerability
|
# ? Mar 27, 2011 22:18 |
|
Xenogenesis posted:"yaoi prophet," do you work on mysql.com? Haha, oh christ. And I fixed the problem just by removing another layer of escaping that I didn't realize was going on. I didn't write the original code that required that comment or I would have just written it to use prepared statements in the first place. But yes I freely admit that the stupid character class thing is definitely a horror. Fortunately it's one that I managed to get rid of.
|
# ? Mar 28, 2011 01:24 |
|
nielsm posted:MSVC for 64 bit doesn't allow inline assembly. You can still have assembly source files and call functions written entirely in assembly. Yup. I have some assembler for ticket based spinlocks that requires 8-bit and 16-bit atomic ops, but Win API only provides one 32-bit aligned 16-bit atomic op and everything else is 32-bit or 64-bit. The limiting factor seems support of IA64 which does not permit such short aligned operations. I tried using external MASM64 only to find that the supported syntax can be very different to MASM, i.e. MASM64 is like a version 1.0 and MASM32 is a version 8.0 with a lot more features. If you trawl the MSDN forums you can find tidbits from the developers. I ended up bumping the locks up to 32-bit and 64-bit ops for Win64 as the intrinsic operations end up faster than function calls.
|
# ? Mar 28, 2011 04:36 |
MrMoo posted:I tried using external MASM64 only to find that the supported syntax can be very different to MASM, i.e. MASM64 is like a version 1.0 and MASM32 is a version 8.0 with a lot more features. If you trawl the MSDN forums you can find tidbits from the developers. I guess that's another reason that e.g. VirtualDub's build uses YASM.
|
|
# ? Mar 28, 2011 04:52 |
|
yaoi prophet posted:Fortunately nobody is going to be searching for stuff including backslashes in our data. Oh my good heavens this is otherworldly. I can't tell whether it's bad that you just muted a tuple or because it throws an error for changing a list object. Worse yet that it throws an error but lets you get away with it anyway? edit: Tested it myself, it really does have that behavior Voronoi Potato fucked around with this message at 05:12 on Mar 28, 2011 |
# ? Mar 28, 2011 05:10 |
I think this has something to do with what Python complains about there:code:
|
|
# ? Mar 28, 2011 05:20 |
|
code:
|
# ? Mar 28, 2011 10:18 |
|
qntm posted:
Never used Python but I'm guessing it's just a reference to a mutable list. The reference itself is immutable.
|
# ? Mar 28, 2011 11:21 |
|
Tuples contain references, so yeah. You can modify the contents of a tuple like this: >>> b = [1, 2] >>> a = (b, 'a') >>> a ([1, 2], 'a') >>> b += [3] >>> a ([1, 2, 3], 'a') My guess is that Python sees you're trying to manipulate a tuple's values, fails as would be expected, but hands the operation to the value anyway, where it succeeds since it's a mutable. Assigning a[0] with a simple a[0] = <value> fails as would be expected.
|
# ? Mar 28, 2011 11:39 |
|
Eliza posted:My guess is that Python sees you're trying to manipulate a tuple's values, fails as would be expected, but hands the operation to the value anyway, where it succeeds since it's a mutable. Assigning a[0] with a simple a[0] = <value> fails as would be expected. Nah, it only sees that you're modifying a list. That the list is pointed at by a tuple doesn't even enter consideration.
|
# ? Mar 28, 2011 15:39 |
|
tuples are immutable, that is the objects they contain can't change, but there's no requirement that the objects they point to be immutable.
|
# ? Mar 28, 2011 16:38 |
|
At least .append() doesn't trigger the error:code:
|
# ? Mar 28, 2011 18:24 |
|
BonzoESC posted:Nah, it only sees that you're modifying a list. That the list is pointed at by a tuple doesn't even enter consideration. I meant at the example posted earlier, where it gives you an error and does it anyway. The sample I posted works just fine, for the reasons you cited. Still, you'd think that it would either not work at all, or without complaint.
|
# ? Mar 28, 2011 18:45 |
|
Eliza posted:My guess is that Python sees you're trying to manipulate a tuple's values, fails as would be expected, but hands the operation to the value anyway, where it succeeds since it's a mutable. This is almost certainly backwards. Odds are very high that it's doing the append before attempting the assignment to immutable tuple, rather than throwing an exception but deciding to continue on anyway.
|
# ? Mar 28, 2011 19:42 |
|
AzraelNewtype posted:This is almost certainly backwards. Odds are very high that it's doing the append before attempting the assignment to immutable tuple, rather than throwing an exception but deciding to continue on anyway. List appends aren't in place in python, are they?
|
# ? Mar 28, 2011 22:16 |
|
BonzoESC posted:List appends aren't in place in python, are they? Depends on how you append. code:
The horror here, if there is one, is that + doesn't update the list in place but += does (as well as performing assignment). ToxicFrog fucked around with this message at 23:15 on Mar 28, 2011 |
# ? Mar 28, 2011 23:12 |
|
ToxicFrog posted:The horror here, if there is one, is that + doesn't update the list in place but += does (as well as performing assignment). Why *would* + update it in place? + shouldn't modify either of its operands.
|
# ? Mar 29, 2011 01:33 |
|
ToxicFrog posted:The horror here, if there is one, is that + doesn't update the list in place but += does (as well as performing assignment). I think what they were going for here was an "assignment operator" wholly distinct from their "binary addition operator", but they failed by naming the language after a snake.
|
# ? Mar 29, 2011 08:11 |
|
ToxicFrog posted:The horror here, if there is one, is that + doesn't update the list in place but += does (as well as performing assignment).
|
# ? Mar 29, 2011 13:04 |
|
PrBacterio posted:No the actual horror here is, why on earth does Python try to do a no-op assignment in this case after already having modified the list in-place? If you think about how += should be implemented on immutable objects for about a quarter of a second you'd figure it out.
|
# ? Mar 29, 2011 13:29 |
|
king_kilr posted:If you think about how += should be implemented on immutable objects for about a quarter of a second you'd figure it out. It shouldn't be! OH HO HO
|
# ? Mar 29, 2011 13:51 |
|
baquerd posted:I think what they were going for here was an "assignment operator" wholly distinct from their "binary addition operator", but they failed by naming the language after a snake. Actually it's named after the television show “Monty Python’s Flying Circus" which is worse.
|
# ? Mar 29, 2011 15:08 |
|
arvash posted:Actually it's named after the television show “Monty Python’s Flying Circus" which makes it OK. FTFY
|
# ? Mar 29, 2011 15:19 |
From the Python language specification(?):"Augmented assignment statements posted:An augmented assignment evaluates the target (which, unlike normal assignment statements, cannot be an unpacking) and the expression list, performs the binary operation specific to the type of assignment on the two operands, and assigns the result to the original target. The target is only evaluated once. I'm not sure what the last thing is supposed to mean. It seems to say that an assignment will always occur, and that operations may be done in-place. The __iadd__ special method is used for in-place addition. From the description of that, and the above, it seems like what is being done is: code:
Conclusion: The behaviour really does make sense. I don't have any ideas for making it fail instantly or not throw up, without risking breaking something else, more important.
|
|
# ? Mar 29, 2011 15:26 |
|
Every time I read Python code or the bizarre things that Python does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab.
|
# ? Mar 29, 2011 15:42 |
|
NotShadowStar posted:Every time I read Python code or the bizarre things that Python does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab. And yet it's still better than most languages.
|
# ? Mar 29, 2011 15:45 |
|
NotShadowStar posted:Every time I read Python code or the bizarre things that Python does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab. Funnily enough, every time I read Python code I wonder how come it's not even more popular.
|
# ? Mar 29, 2011 18:05 |
|
NotShadowStar posted:It's like someone's academic experiment that broke out of the lab. *coughhaskellcough*
|
# ? Mar 29, 2011 18:05 |
|
Every time I read $your_favorite_language code or the bizarre things that $your_favorite_language does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab.
|
# ? Mar 29, 2011 18:06 |
|
Toady posted:Every time I read $your_favorite_language code or the bizarre things that $your_favorite_language does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab. Interesting choice of sigil there, given that BASIC, Perl and Bash script are more likely to be described as that thing that broke into the lab and is now hiding, waiting to consume its next victim.
|
# ? Mar 29, 2011 18:21 |
|
NotShadowStar posted:Every time I read Python code or the bizarre things that Python does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab. Do yourself a favor and don't look into the intermediate code the C# compiler generates to support all the neat language features that have been bolted on since 2.0
|
# ? Mar 29, 2011 18:21 |
|
Toady posted:Every time I read $your_favorite_language code or the bizarre things that $your_favorite_language does I wonder how the hell that language caught on. It's like someone's academic experiment that broke out of the lab. So what you're saying is that every single programming language has serious horrors in it and none of them are good, let alone perfect. I agree entirely.
|
# ? Mar 29, 2011 18:41 |
|
^^ Pretty much this.UraniumAnchor posted:Why *would* + update it in place? + shouldn't modify either of its operands. I agree. I was ambiguous there; I meant that given that + doesn't modify either operand (nor should it), it's surprising that += does (in addition to assigning).
|
# ? Mar 29, 2011 19:25 |
|
qntm posted:So what you're saying is that every single programming language has serious horrors in it and none of them are good, let alone perfect. If you don't hate every programming language you have used for being terrible in some way, then you don't know your programming language well enough.
|
# ? Mar 29, 2011 19:28 |
|
In the current clean-up job for a website built by about a half-dozen different contractors over 5 years with murky requirements, I have 518 direct references to ConfigurationManager.AppSettings[]. The more fun parts is when they quit adding new app settings and started making derived settings based on unrelated settings. Need to find the public site root? Well, use the public site site map path.
|
# ? Mar 29, 2011 19:57 |
|
|
# ? May 17, 2024 19:35 |
|
Zombywuf posted:Interesting choice of sigil there, given that BASIC, Perl and Bash script are more likely to be described as that thing that broke into the lab and is now hiding, waiting to consume its next victim. MIPS asm
|
# ? Mar 29, 2011 21:17 |