|
Jabor posted:they don't fit neatly together if you're using them as a clustering key What's so bad about auto increment primary keys as a opaque identifier?
|
# ? Sep 9, 2017 09:01 |
|
|
# ? May 23, 2024 13:43 |
|
Jabor posted:they don't fit neatly together if you're using them as a clustering key it depends on your db if this is even an issue: mysql: only clusters on the pkey. best you can do is set up an autoincrement fake pkey and then a unique index on your uuid column mssql: clusters on the pkey by default. you can have the uuid as pkey, just remember to add a separate clustering index on any well-ordered column postgres: doesn't cluster by default at all. you can just make uuid the pkey
|
# ? Sep 9, 2017 09:23 |
|
gonadic io posted:What's so bad about auto increment primary keys as a opaque identifier? - if you want to copy a record from a db to another - if you want to delete a record and then make another, while references to the old one may still be around in the wild - if you don't want people to guess pkeys - if you're worried about accidentally joining the wrong table all of these issues can be avoided with good practice and a bit of forethought (have a second 'origin' pkey column, always use ON DELETE CASCADE, never expose surrogate keys, don't accidentally join the wrong table) however, with uuids, they don't arise at all
|
# ? Sep 9, 2017 09:27 |
|
*exposes primary key*
|
# ? Sep 9, 2017 09:36 |
|
Powaqoatse posted:*exposes primary key* please there are children here
|
# ? Sep 9, 2017 09:38 |
|
guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about
|
# ? Sep 9, 2017 10:06 |
|
Shinku ABOOKEN posted:speaking of lua. anybody tried squirrel? the filename extension for it is .nut so it must be good🥜🐿 quoting this old post to say that squirrel is cool and good and fixes a lot of the idiosyncratic bullshit in lua. stuff like having actual OOP support, not assigning global variables by default, separating arrays and tables into different things and having build in library functions for them that work like expected, C-like crap everyone takes for granted like ++, +=, the ternary operator, continue and break, assignments inside conditionals, AND actually throwing an error if you pass a null reverence to something tldr, lua can suck my .nut
|
# ? Sep 9, 2017 11:06 |
|
redleader posted:guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about given that all programmers are poo poo, we should favor idioms that make the bugs they will inevitably write harder to exploit
|
# ? Sep 9, 2017 11:40 |
|
Powaqoatse posted:*exposes primary key*
|
# ? Sep 9, 2017 12:25 |
|
redleader posted:guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about your acls are a piece of poo poo!
|
# ? Sep 9, 2017 12:48 |
|
Soricidus posted:given that all programmers are poo poo, we should favor idioms that make the bugs they will inevitably write harder to exploit i agree that developers should not be allowed to design or develop a database
|
# ? Sep 9, 2017 12:49 |
|
Just use an in mem hashmap and serialise it when your application closes
|
# ? Sep 9, 2017 12:50 |
|
i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice?
|
# ? Sep 9, 2017 14:35 |
|
Jabor posted:they don't fit neatly together if you're using them as a clustering key that's why you either use a datastore that wants you to distribute your data randomly as much as possible, or you use uuids that drop some randomness for better clustering properties. using auto-incrementing primary keys gives you a false sense of security that you will always have a consistently ordered list of ids, which at some point in the future will no longer be true. better to disabuse yourself of that thinking now rather than later redleader posted:guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about yeah exactly. auto-incrementing keys should not be a security risk because you should be authenticating and authorizing every single incoming request against requested resources anyways. FamDav fucked around with this message at 15:39 on Sep 9, 2017 |
# ? Sep 9, 2017 15:22 |
|
Shinku ABOOKEN posted:i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice? you can always reap logically deleted things later. keeping them around aids analysis/BI, and if you need to perform cleanup work asynchronously it lets you keep track of and reconcile incomplete work. and if data is sensitive you should be encrypting it at rest and only distributing decryption materials to application hosts that have to decrypt it. then you can expose direct access to an isolated replica (you don't want an outage because BI took down your production replicas) of your data to everybody to poke at.
|
# ? Sep 9, 2017 15:34 |
|
Powaqoatse posted:*exposes primary key* code:
|
# ? Sep 9, 2017 17:59 |
|
Powerful Two-Hander posted:lmao a system at work let's users define filters by letting them type in arbitrary SQL and I bet it's not remotely sanitised before insertion we just give our users db access so that they don't need devs for every new requirement
|
# ? Sep 9, 2017 19:05 |
|
Jabor posted:they don't fit neatly together if you're using them as a clustering key the use case for clustered vs nonclustered index is just for getting ranges of IDs or fast lookup of neighbors? doesn't seem like that would make autoincrement ids are worth being the default
|
# ? Sep 9, 2017 19:34 |
|
I guess exposing the primary key also indirectly exposes information like roughly how many rows are in the table, and if you do whatever activity creates a new row several times in a row, you can inspect the numbers generated to determine how fast new rows are being created overall. I don't know if that's sensitive information but it's information?
|
# ? Sep 9, 2017 19:56 |
|
plenty of places dont want ppl to know that they're like customer number 7 or something
|
# ? Sep 9, 2017 21:17 |
|
Shinku ABOOKEN posted:i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice? i know at epic you can't do anything but soft delete records without like ultra secret security that usually only the dba has and it has to be done manually. once there's enough interconnection between various records hard deleting poo poo is just a crap shoot.
|
# ? Sep 10, 2017 01:30 |
|
Shinku ABOOKEN posted:i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice? reasonable also, if data is sensitive, you delete the key, because it's encrypted, right?
|
# ? Sep 10, 2017 13:04 |
|
redleader posted:guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about lol it's totally a thing
|
# ? Sep 10, 2017 13:05 |
|
code:
|
# ? Sep 10, 2017 19:07 |
|
i'm trying to fix database fanouts in our application and i found a section of code that fans out recursively over a list of records. I think I can obfuscate it enough to post
|
# ? Sep 10, 2017 19:13 |
|
holy poo poo
|
# ? Sep 10, 2017 20:39 |
|
|
# ? Sep 10, 2017 21:44 |
|
tef posted:lol it's totally a thing when?
|
# ? Sep 10, 2017 21:45 |
|
pokeyman posted:holy poo poo code:
code:
code:
MononcQc posted:I'm the stop < 0 || stop < 0 Ellie Crabcakes fucked around with this message at 21:52 on Sep 10, 2017 |
# ? Sep 10, 2017 21:47 |
|
I'm the stop < 0 || stop < 0
|
# ? Sep 10, 2017 21:48 |
|
redleader posted:when?
|
# ? Sep 10, 2017 21:55 |
|
well friends I’m evacuated in a hurricane and extremely bored So here’s the Jaguar GPU snippet I wrote that blits my lines while cooped up in this hotel room. next step: rotation https://pastebin.com/xEeFKS0r
|
# ? Sep 10, 2017 23:03 |
|
doesn't this fall into the "have access controls in place" category? in the vast* majority of cases, correctly guessing that there is an object with id n isn't a risk if the attacker can't actually access/use that object i think this is why owasp has a category for insecure (in contrast to all) direct object references happy to be educated otherwise though * and i know that there will be places this does matter
|
# ? Sep 10, 2017 23:20 |
|
John Big Booty posted:
this is violence
|
# ? Sep 10, 2017 23:25 |
|
i spent the last sprint focusing on the mongo -> postgres migration and suddenly our services have sprouted an outgrowth of node.
|
# ? Sep 11, 2017 00:19 |
|
John Big Booty posted:
Nice, nice. Doom Mathematic fucked around with this message at 12:10 on Sep 11, 2017 |
# ? Sep 11, 2017 00:20 |
|
Doom Mathematic posted:Nice, nice.
|
# ? Sep 11, 2017 01:12 |
|
MALE SHOEGAZE posted:i spent the last sprint focusing on the mongo -> postgres migration and suddenly our services have sprouted an outgrowth of node.
|
# ? Sep 11, 2017 02:11 |
|
generating javascript through Java string concatenation is extremely my poo poo
|
# ? Sep 11, 2017 02:16 |
|
|
# ? May 23, 2024 13:43 |
|
Well then, you're certainly in the right place.
|
# ? Sep 11, 2017 03:28 |