|
Doc Hawkins posted:But on the other hand, how would doing that help me portray myself as the victim of soulless modernity? "I wish I could just trust people, but folks these days are bastards, so I have to put up walls between me and thee, O good and gentle players. <emo, drama, self-drat-pitying>" "bosschair posted:I think this issue could really get solved if someone could come up with just one more retarded analogy.
|
#
?
Dec 25, 2011 18:37
|
|
|
|
| # ? May 29, 2024 21:00 |
|
|
If you want to be a cool dude, roll your own json encoder in php. Then make everything a string. And also, don't bother quoting every name in an object, you're a cool dude, after all.code:
|
|
#
?
Dec 27, 2011 21:02
|
|
|
Wheany posted:If you want to be a cool dude, roll your own json encoder in php. Then make everything a string. And also, don't bother quoting every name in an object, you're a cool dude, after all.
|
|
#
?
Dec 27, 2011 23:19
|
|
|
php should be banned from this thread. I'm not at all surprised that something you picked up out of a landfill smells like poo poo.
|
|
#
?
Dec 28, 2011 00:12
|
|
|
Markov Chain Chomp posted:php should be banned from this thread. I'm not at all surprised that something you picked up out of a landfill smells like poo poo.
|
|
#
?
Dec 28, 2011 00:27
|
|
|
Markov Chain Chomp posted:php should be banned from this thread. I'm not at all surprised that something you picked up out of a landfill smells like poo poo. Well, in this case PHP has a perfectly acceptable json_encode function that e: Here is a trivial example that would have broken our code completely: 'Jake "The Snake" Roberts'. I mean who escapes quotes? Not cool dudes. Wheany fucked around with this message at 00:35 on Dec 28, 2011 |
|
#
?
Dec 28, 2011 00:30
|
|
|
Everyone should just use rfc822 encoding. I mean, what's wrong with:code:
|
|
#
?
Dec 28, 2011 15:47
|
|
|
Wheany posted:Well, in this case PHP has a perfectly acceptable json_encode function that Unless you're on one of the (many, many) servers which is still running PHP 5.1.6 Then you don't have json_encode. I usually use a BSD licenced json encoder/decoder for that, though. And I wrap it like this: php:<?php if (!function_exists('json_encode')) { require_once('JSON.php'); function json_encode($obj) { $JSON = new Services_JSON(); return $JSON->encode($obj); } function json_decode($str) { $JSON = new Services_JSON(); return $JSON->decode($str); } } ?>
|
|
#
?
Dec 28, 2011 20:24
|
|
|
Apparently executing raw, user-entered SQL on the server isn't an issue if you simply create a new copy of the database for every query. "This way our clients get the full power of SQL."
|
|
#
?
Dec 29, 2011 00:28
|
|
|
w00tz0r posted:Apparently executing raw, user-entered SQL on the server isn't an issue if you simply create a new copy of the database for every query. What response did you get when you explained why this is pointless?
|
|
#
?
Dec 29, 2011 00:57
|
|
|
w00tz0r posted:Apparently executing raw, user-entered SQL on the server isn't an issue if you simply create a new copy of the database for every query. A legitimate solution, inasmuch as it keeps the production database safe from the ravages of users; but how can you merge changes without including anything malicious, or how do you filter the stuff users should be querying from the stuff they shouldn't? And if you do filter/sanitize the SQL your users input, how do these people justify the expense of copying the database for every little query?
|
|
#
?
Dec 29, 2011 01:04
|
|
|
Hammerite posted:What response did you get when you explained why this is pointless? A blank stare and a strawman argument about how I wanted to cripple our clients by not providing "the full power of SQL". Thank god this is a purely theoretical conversation for now. Edit: For context, we're writing a reporting tool. We're considering throwing the data from our log files into an in-memory database so that we can run more complex queries on the data, rather than manually iterating over the data sets. This came about when I thought aloud that if we wrote a program specific query language, we could provide it to our clients so that they could create their own queries while not exposing our internal representation. This quickly ballooned into blindly executing SQL queries entered into a web form, and much wailing and gnashing of teeth. w00tz0r fucked around with this message at 01:59 on Dec 29, 2011 |
|
#
?
Dec 29, 2011 01:48
|
|
|
w00tz0r posted:A blank stare and a strawman argument about how I wanted to cripple our clients by not providing "the full power of SQL". Surely the database server has roles and permissions. Just have one or more roles that only have permission to query, if you need to.
|
|
#
?
Dec 29, 2011 02:17
|
|
|
The horror might be me in this case. Like you say, setting the permissions would keep them from dropping tables, and setting up a couple of views would likely ease my concerns about tying ourselves to one schema. Still not sure if I like the idea, but I guess it's not as bad as I was thinking.
|
|
#
?
Dec 29, 2011 03:21
|
|
|
w00tz0r posted:I thought aloud that if we wrote a program specific query language, we could provide our clients something that is like a database, except not as well done and incompatible with every existing reporting tool and unfamiliar to anyone who might want to write reports. w00tz0r posted:The horror might be me in this case.
|
|
#
?
Dec 29, 2011 03:36
|
|
|
Fair enough.
|
|
#
?
Dec 29, 2011 03:59
|
|
|
I have a doozy of a database horror. Instead of using roles, there is a bunch of Perl scripts that listen on a certain port and parse in the SQL, check if it is allowed, and if it is, relay it to the real database.  It is not because the DB didn't support roles when they were created, this was created in 2010.
|
|
#
?
Dec 29, 2011 06:01
|
|
|
Language developers not caring about algorithmic attacks is kind of a horror: http://www.ocert.org/advisories/ocert-2011-003.html https://www.youtube.com/watch?v=R2Cq3CLI6H8 Basically you can DOS most web frameworks easily by sending POST data with keys that are chosen to collide and cause worst-case hashmap performance.
|
|
#
?
Dec 29, 2011 09:27
|
|
|
That's very interesting/scary.
|
|
#
?
Dec 29, 2011 14:05
|
|
|
So, what does a randomized hash function mean in this case? Just a random initialization value or something else? Would a value of 0xdeadbeef give different collisions from the default value in the algorithm mentioned in that talk? I assume it doesn't mean a cryptographically secure hash, because that would be too CPU-intensive maybe? 
|
|
#
?
Dec 29, 2011 15:44
|
|
|
Wheany posted:So, what does a randomized hash function mean in this case? I believe they are talking about key-value hash tables, not the cryptological type of hash. The paper from 2003 looks pretty good far (only skimmed the first couple of pages so far): http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf Edit: Or I could shut the hell up, since they're talking about the internal hashes that are created for the keys, and that's why they're called "hash tables" in the first place. 
|
|
#
?
Dec 29, 2011 15:46
|
|
|
Wheany posted:So, what does a randomized hash function mean in this case? Randomized hash function means it has a number of functions to calculate a hash, and randomly picks which one to use.
|
|
#
?
Dec 29, 2011 16:02
|
|
|
Wheany posted:So, what does a randomized hash function mean in this case? Yeah cryptographic hashes would be terribly slow. Universal hashing is provably secure against these attacks.
|
|
#
?
Dec 29, 2011 16:17
|
|
|
So would replacing the initialization constant 5381 in the DJBX33A -algorithm with another number produce the same collisions? Would h('Ey') still equal h('FZ')? (the examples they used in the talk) Edit: I tested it: Yes. The hash values change but the collisions stay. Wheany fucked around with this message at 18:28 on Dec 29, 2011 |
|
#
?
Dec 29, 2011 17:52
|
|
|
Zhentar posted:Randomized hash function means it has a number of functions to calculate a hash, and randomly picks which one to use.
|
|
#
?
Dec 29, 2011 18:46
|
|
|
edit: I'm dumb ignore me
|
|
#
?
Dec 29, 2011 18:48
|
|
|
evensevenone posted:How do you go back and find anything then? The number deciding the function you pick is stored in the hashtable.
|
|
#
?
Dec 29, 2011 19:00
|
|
|
evensevenone posted:How do you go back and find anything then? I lied, it means they "scramble the string hash function" using a randomly generated seed. code:Edit2: Ruby 1.9 just uses a random initialization value, but with a hash function which I believe will have different collisions with different initialization. Zhentar fucked around with this message at 19:42 on Dec 29, 2011 |
|
#
?
Dec 29, 2011 19:11
|
|
|
welcome to asymptotic costs in data structures  algorithmic complexity attacks are not new (and as seen here an eight year old paper is still relevant) - I seem to recall a handful of Apache DOS that exploited quadratic worst cases from years ago too.to paraphrase djb 'real men use critbit trees for associative arrays' - http://en.wikipedia.org/wiki/Radix_tree (the writeup of djb's implementation is worth a read http://www.imperialviolet.org/binary/critbit.pdf ) - they're neat!
|
|
#
?
Dec 29, 2011 19:57
|
|
|
I took on overseeing a LAMP install for a friend. I thought I could stay clean you know? Just make sure it's running. Then a few weeks ago they got exploit'd and suddenly I had to write php again. First time since php3 and the introduction of the tag syntax. I can feel the corruption taking root in my soul, my face turning from the sunlight. Since then the client has asked for 'some quick changes' on one of the sites. I'm slowly descending into a world of moral ambiguity and half-assed slackness that I daren't tell my mother about. There's a sick feeling in my gut, sick from the filth and compromise, sick from the loss of innocence. But even worse, there's a premonition. That some degraded day in the future, I might like it.
|
|
#
?
Dec 29, 2011 21:07
|
|
|
Scaramouche posted:I took on overseeing a LAMP install for a friend. I thought I could stay clean you know? Just make sure it's running. Then a few weeks ago they got exploit'd and suddenly I had to write php again. First time since php3 and the introduction of the tag syntax. I can feel the corruption taking root in my soul, my face turning from the sunlight. Since then the client has asked for 'some quick changes' on one of the sites. I'm slowly descending into a world of moral ambiguity and half-assed slackness that I daren't tell my mother about. There's a sick feeling in my gut, sick from the filth and compromise, sick from the loss of innocence. But even worse, there's a premonition. That some degraded day in the future, I might like it. If you're not billing hourly, it's not worth it.
|
|
#
?
Dec 29, 2011 22:14
|
|
|
darthbob88 posted:Cross-posting from the TvTropes thread in PYF: The sad part is that this isn't even the worst that Fast Eddie's coding gets. He wrote a custom forum after phpBB got hacked, which gives it security through obscurity and pretty much nothing else. By editing a few hidden fields it used to be possible to edit any post in the forum, as well as user profiles. But that's mere absentmindedness. There are two effects that betray truly pathological code. Number one is that at one point, it was possible to log in as another user by removing the cookie containing the password(which, in another piece of security-through-obscurity, is called "mazeltov" but is the password in plaintext). I'm still not entirely sure how "missing cookie" becomes "correct password"; it's the sort of horror that can only be obtained through PHP. The other pathology is the reason that Fast Eddie has to delete inactive threads. It's because if he doesn't, the database will start chugging due to having too many tables, as the database has a table for every thread. I don't know whether he's using mysql_real_prepare_statement or not, but I would be entirely unsurprised to see SQL injections. (There was also a cross-site scripting bug from the "Success! Your profile was changed!" message...) point of return fucked around with this message at 03:57 on Dec 30, 2011 |
|
#
?
Dec 30, 2011 03:51
|
|
|
quote:Fast Eddie removed the ability to specify a custom indentation width when some intrepid users discovered that it could be used to sneak arbitrary CSS into pages. 
|
|
#
?
Dec 30, 2011 05:04
|
|
|
If anyone needs to get a value of true, this little gem might help.code:
|
|
#
?
Dec 30, 2011 17:22
|
|
|
Mr.NaviPacho posted:If anyone needs to get a value of true, this little gem might help. How do things like this come to be? How does this ever seem like the right thing to do? Was this originally a _returnBool that, over the course of things, only ever returned true and so it got optimised and renamed? Perhaps the fear of hard-coding values extended to boolean literals? Is this along the lines of #DEFINE TRUE true? We may never know.
|
|
#
?
Dec 30, 2011 17:54
|
|
|
AlsoD posted:How do things like this come to be? How does this ever seem like the right thing to do? Was this originally a _returnBool that, over the course of things, only ever returned true and so it got optimised and renamed? Perhaps the fear of hard-coding values extended to boolean literals? Is this along the lines of #DEFINE TRUE true? Maybe it did something at one time, but it was deprecated. Instead of doing the sane thing and refactoring it and any dead code out entirely, they left the method, renamed it, and made it always return the desired value.
|
|
#
?
Dec 30, 2011 18:37
|
|
|
In a statically typed language such code could make sense if it needed to match a certain signature for whatever reason, but seeing as how it appears to be PHP...
|
|
#
?
Dec 30, 2011 19:31
|
|
|
Plorkyeran: Now you have me imagining someone trying to program in PHP as if it were Haskell. "Hey, indexing into an associative array of functions with the string concatenation of the names of argument types is basically the same thing as pattern matching, right?"
|
|
#
?
Dec 30, 2011 20:12
|
|
|
At a sufficient level of abstraction, everything is basically the same thing.
|
|
#
?
Dec 31, 2011 00:43
|
|
|
|
| # ? May 29, 2024 21:00 |
|
|
Internet Janitor posted:Plorkyeran: Now you have me imagining someone trying to program in PHP as if it were Haskell. You just know that someone's done this.
|
|
#
?
Dec 31, 2011 00:46
|
|
